incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <dbronds...@slashdotmedia.com>
Subject Re: Documenting Tool Permissions
Date Wed, 17 Jul 2013 17:00:21 GMT
Sounds reasonable.  I don't remember exactly what "configure" gives access
for across all tools.  If it's fairly standard (e.g. accessing the admin
options for tools) then perhaps we'd want to keep it as that (although I
don't know what the difference between admin & configure would be then),
and keep save_searches as a separate perm since it's not an admin option
page.


On Wed, Jul 17, 2013 at 11:55 AM, Tim Van Steenburgh <
tvansteenburgh@gmail.com> wrote:

> I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In
> documenting permissions, I'm finding places where things are not working as
> probably intended.
>
> Consider the "save_searches", "configure", and "admin" permissions in the
> Tracker tool:
> "save_searches" protects the individual methods on the BinController,
> but...
> ...user will not actually see the "Edit Searches" button in the sidebar
> unless he has the "configure" permission; however...
> even with the "configure" permission, user will get a 403 when clicking on
> the "Edit Searches" button unless he also has the "admin" permission, b/c
> the BinController is mounted on the TrackerAdminController
>
> I have two proposals:
>
> Remove the "save_searches" permission and include "Edit Searches" in the
> "configure" permission
> Move the BinController off the TrackerAdminController and onto the Tracker
> RootController
>
> Anyone have thoughts on this, or objections?
>
>
> --
> Tim Van Steenburgh
>
>


-- 
Dave Brondsema
Principal Software Engineer - sourceforge.net
Dice Holdings, Inc.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message