New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix access rights to Administration page #12096

Merged
merged 2 commits into from Jan 22, 2019

Conversation

Projects
None yet
6 participants
@matks
Copy link
Contributor

matks commented Jan 9, 2019

Questions Answers
Branch? develop
Description? Before, ino "Configure > Advanced Parameters > Administration" page if you had the READ rights you could modify the settings. This is wrong: you need CREATE, UPDATE or DELETE rights, but not READ.
Type? bug fix
Category? BO
BC breaks? no
Deprecations? no
Fixed ticket?
How to test? Page "Configure > Advanced Parameters > Administration" (URL: /admin-dev/index.php/configure/advanced/administration/ should behave like before, but access rules are fixed : a backoffice user can only use the form to modify settings if he has CREATE, UPDATE or DELETE rights. READ right does not grant him the capability to modify the settings now.

This change is Reviewable

@mickaelandrieu
Copy link
Contributor

mickaelandrieu left a comment

It's approved, but it depends on what behavior we have decided to apply.

can you confirm @matks ?

@matks

This comment has been minimized.

Copy link
Contributor Author

matks commented Jan 16, 2019

@mickaelandrieu Indeed I need to change this PR as we have agreed to only allow "read" rights for display pages

@matks matks removed the waiting for QA label Jan 16, 2019

@matks

This comment has been minimized.

Copy link
Contributor Author

matks commented Jan 19, 2019

@mickaelandrieu PR is updated 😄

@mbadrani mbadrani self-assigned this Jan 21, 2019

@mbadrani

This comment has been minimized.

Copy link
Contributor

mbadrani commented Jan 21, 2019

This PR doesn't work as it should
After creating a salesman profile and delete all permissions on shop parameters/general line as you can see on my capture below
image
(after login with the salesman account) by accessing on the direct link: "/admin-dev/index.php/configure/shop/preferences/preferences"
as you can see on the capture below
image

@matks

This comment has been minimized.

Copy link
Contributor Author

matks commented Jan 22, 2019

@mbadrani Your screenshot shows the "Configure > Shop parameters > General" (URL: /admin-dev/index.php/configure/shop/preferences/preferences)
This PR is about the "Configure > Advanced Parameters > Administration" (URL: /admin-dev/index.php/configure/advanced/administration/)

@mbadrani mbadrani added QA ✔️ and removed waiting for QA labels Jan 22, 2019

@PierreRambaud PierreRambaud merged commit 344d659 into PrestaShop:develop Jan 22, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@PierreRambaud

This comment has been minimized.

Copy link
Contributor

PierreRambaud commented Jan 22, 2019

Thanks @matks

@PierreRambaud PierreRambaud added this to the 1.7.6.0 milestone Jan 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment