incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Van Steenburgh <tvansteenbu...@gmail.com>
Subject Re: Documenting Tool Permissions
Date Wed, 17 Jul 2013 18:22:22 GMT


On Wednesday, July 17, 2013 at 11:55 AM, Tim Van Steenburgh wrote:

> I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In documenting permissions,
I'm finding places where things are not working as probably intended.
> 
> Consider the "save_searches", "configure", and "admin" permissions in the Tracker tool:
> "save_searches" protects the individual methods on the BinController, but...
> ...user will not actually see the "Edit Searches" button in the sidebar unless he has
the "configure" permission; however...
> even with the "configure" permission, user will get a 403 when clicking on the "Edit
Searches" button unless he also has the "admin" permission, b/c the BinController is mounted
on the TrackerAdminController
> 
> 
> 
> 

After more digging I've discovered that this particular problem is system-wide. There are
many controller methods on Application admin controllers that purport to be protected by the
"configure" permission, yet are unreachable by a user with the bare "configure" permission,
because the ProjectAdminController through which the request is dispatched requires a blanket
"admin" permission.

I don't have a solution to propose for this yet, but will report back when I do. Would be
glad hear ideas from others in the meantime.
> I have two proposals:
> 
> Remove the "save_searches" permission and include "Edit Searches" in the "configure"
permission
> Move the BinController off the TrackerAdminController and onto the Tracker RootController
> 
> Anyone have thoughts on this, or objections?
> 
> 
> -- 
> Tim Van Steenburgh
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message