MBS-13108: Require relationship editor, not admin, privs for attributes

There's no real reason this should be locked behind account_admin. It has nothing to do with accounts nor private data, and a lot to do with schema / style, which is what we generally use relationship_editor for (not just relationships but also genres, instruments).
metabrainz · Dec 4, 2023 · 5f8fe4f · 5f8fe4f
1 parent 403082f
commit 5f8fe4f
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/lib/MusicBrainz/Server/Controller/Attributes.pm b/lib/MusicBrainz/Server/Controller/Attributes.pm
@@ -96,7 +96,7 @@ sub attribute_index : Chained('attribute_base') PathPart('') {
     );
 }
 
-sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm {
+sub create : Chained('attribute_base') RequireAuth(relationship_editor) SecureForm {
     my ($self, $c) = @_;
     my $model = $c->stash->{model};
 
@@ -117,7 +117,7 @@ sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm {
     }
 }
 
-sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm {
+sub edit : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm {
     my ($self, $c, $id) = @_;
     my $model = $c->stash->{model};
     my $attr = $c->model($model)->get_by_id($id);
@@ -139,7 +139,7 @@ sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureFo
     }
 }
 
-sub delete : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm {
+sub delete : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm {
     my ($self, $c, $id) = @_;
     my $model = $c->stash->{model};
     my $attr = $c->model($model)->get_by_id($id)

diff --git a/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm b/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm
@@ -30,7 +30,10 @@ test 'Delete standard attribute (series type)' => sub {
     $test->mech->get('/logout');
     $test->mech->get('/login');
     $test->mech->submit_form(
-        with_fields => { username => 'admin', password => 'password' },
+        with_fields => {
+            username => 'relationship_editor',
+            password => 'password',
+        },
     );
 
     $mech->get('/attributes/SeriesType/delete/1');
@@ -93,7 +96,10 @@ test 'Delete language' => sub {
     $test->mech->get('/logout');
     $test->mech->get('/login');
     $test->mech->submit_form(
-        with_fields => { username => 'admin', password => 'password' },
+        with_fields => {
+            username => 'relationship_editor',
+            password => 'password',
+        },
     );
 
     $mech->get_ok('/attributes/Language/delete/120');
@@ -156,7 +162,10 @@ test 'Delete script' => sub {
     $test->mech->get('/logout');
     $test->mech->get('/login');
     $test->mech->submit_form(
-        with_fields => { username => 'admin', password => 'password' },
+        with_fields => {
+            username => 'relationship_editor',
+            password => 'password',
+        },
     );
 
     $mech->get_ok('/attributes/Script/delete/28');

diff --git a/t/sql/attributes.sql b/t/sql/attributes.sql
@@ -11,8 +11,8 @@ INSERT INTO editor (
   id, name, password, ha1,
   email, email_confirm_date, privs)
 VALUES (
-  2, 'admin', '{CLEARTEXT}password', '3a115bc4f05ea9856bd4611b75c80bca',
-  'foo@example.com', now(), 128);
+  2, 'relationship_editor', '{CLEARTEXT}password',
+  '3a115bc4f05ea9856bd4611b75c80bca', 'foo@example.com', now(), 8);
 
 -- Release for language and script usage
 INSERT INTO artist (