Defect #1
closedpermissions if not admin
0%
Description
You probably already know this, but just in case....
If a user is not an administrator and they attempt to click on a project where they are a member (in any role, manager,
developer, reporter, etc.), there is an unexpected result:
Filter chain halted as [authorize] returned false
Completed in 0.00010 (10000 reqs/sec) | Rendering: 0.00000 (0%) | DB: 0.00000 (0%) | 403
[http://localhost/projects/show/1]
I believe this is the relevant code in the application.rb:
- admin is always authorized
return true if self.logged_in_user.admin? - if not admin, check membership permission
@user_membership ||= Member.find(:first, :conditions => ["user_id=? and project_id=?",
self.logged_in_user.id, @project.id])
if @user_membership and Permission.allowed_to_role( "%s/%s" % [ ctrl, action ], @user_membership.role_id
)
return true
end
render :nothing => true, :status => 403
-/-
Put another way- create a non-admin user, add this user to a project in any role (manager, developer, etc.) and then
login as this new user. when you click on the project, you receive a blank page
-/-
Thoughts? Let me know if you want any help on this or if I'm doing something strange?
Todd
Files