Project

General

Profile

Actions

Defect #1

closed

permissions if not admin

Added by Todd McGrath about 17 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

You probably already know this, but just in case....

If a user is not an administrator and they attempt to click on a project where they are a member (in any role, manager,
developer, reporter, etc.), there is an unexpected result:

Filter chain halted as [authorize] returned false
Completed in 0.00010 (10000 reqs/sec) | Rendering: 0.00000 (0%) | DB: 0.00000 (0%) | 403
[http://localhost/projects/show/1]

I believe this is the relevant code in the application.rb:

  1. admin is always authorized
    return true if self.logged_in_user.admin?
  2. if not admin, check membership permission
    @user_membership ||= Member.find(:first, :conditions => ["user_id=? and project_id=?",
    self.logged_in_user.id, @project.id])
    if @user_membership and Permission.allowed_to_role( "%s/%s" % [ ctrl, action ], @user_membership.role_id
    )
    return true
    end
    render :nothing => true, :status => 403

-/-

Put another way- create a non-admin user, add this user to a project in any role (manager, developer, etc.) and then
login as this new user. when you click on the project, you receive a blank page

-/-

Thoughts? Let me know if you want any help on this or if I'm doing something strange?

Todd


Files

default-permissions-PATCH.txt (1.11 KB) default-permissions-PATCH.txt Todd McGrath, 2008-02-03 10:48
base.rhtml-PATCH.txt (7.45 KB) base.rhtml-PATCH.txt Todd McGrath, 2008-02-03 10:48
roles_controller.rb_PATCH.txt (894 Bytes) roles_controller.rb_PATCH.txt Todd McGrath, 2008-02-03 10:48
application_helper.rb-PATCH.txt (970 Bytes) application_helper.rb-PATCH.txt Todd McGrath, 2008-02-03 10:48
Actions

Also available in: Atom PDF