Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email permission fix #2159

Merged
merged 2 commits into from Aug 2, 2016
Merged

Email permission fix #2159

merged 2 commits into from Aug 2, 2016

Conversation

escopecz
Copy link
Sponsor Member

@escopecz escopecz commented Aug 1, 2016

Q A
Bug fix? Y
New feature? N
Related user documentation PR URL /
Related developer documentation PR URL /
Issues addressed (#s or URLs) https://www.mautic.org/community/index.php/5098-emails-permission/0#p13780
BC breaks? N
Deprecations? N

Description:

A user with only email:view and email:viewown permission could edit any email. Also all the new/edit/clone buttons were there for him to click. This PR fixes the wrong permission in the edit method and hides the buttons to which the user doesn't have the permission to execute.

Steps to test this PR:

  1. Apply this PR and refresh the page
  2. You should not be able to edit an email even if you hack the HTTP request. You cannot test it easily because there is no button to do so.
  3. You should see only buttons which you have permission to.
  4. When you log as the administrator, all the buttons should be there and you should be able to edit any email.

Steps to reproduce the bug:

  1. Create a role with only email:view and email:viewown permissions.
  2. Create a user with this role.
  3. Log in as this user.
  • You are able to edit any existing email.
  • You can see the new/edit/clone buttons.

@escopecz escopecz added T1 Low difficulty to fix (issue) or test (PR) bug Issues or PR's relating to bugs ready-to-test PR's that are ready to test labels Aug 1, 2016
@escopecz escopecz added this to the 2.1.0 milestone Aug 1, 2016
@dbhurley
Copy link
Member

dbhurley commented Aug 2, 2016

Applied. Tested. Logged in as restricted user could not create/edit other's emails. +1

@dbhurley dbhurley added pending-test-confirmation PR's that require one test before they can be merged and removed ready-to-test PR's that are ready to test labels Aug 2, 2016
@dongilbert
Copy link
Member

+1 works great. Thanks

@dongilbert dongilbert removed the pending-test-confirmation PR's that require one test before they can be merged label Aug 2, 2016
@dongilbert dongilbert merged commit ed1902e into mautic:staging Aug 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Issues or PR's relating to bugs T1 Low difficulty to fix (issue) or test (PR)
Projects
None yet
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@escopecz @dbhurley @dongilbert