From 5f8fe4fae634e05a2309405aca95fa32d4ae7290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Tamargo?= Date: Fri, 8 Apr 2022 19:09:10 +0300 Subject: [PATCH] MBS-13108: Require relationship editor, not admin, privs for attributes There's no real reason this should be locked behind account_admin. It has nothing to do with accounts nor private data, and a lot to do with schema / style, which is what we generally use relationship_editor for (not just relationships but also genres, instruments). --- lib/MusicBrainz/Server/Controller/Attributes.pm | 6 +++--- .../Server/Controller/Attributes/Delete.pm | 15 ++++++++++++--- t/sql/attributes.sql | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/lib/MusicBrainz/Server/Controller/Attributes.pm b/lib/MusicBrainz/Server/Controller/Attributes.pm index e1c511aacc0..523003489fd 100644 --- a/lib/MusicBrainz/Server/Controller/Attributes.pm +++ b/lib/MusicBrainz/Server/Controller/Attributes.pm @@ -96,7 +96,7 @@ sub attribute_index : Chained('attribute_base') PathPart('') { ); } -sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm { +sub create : Chained('attribute_base') RequireAuth(relationship_editor) SecureForm { my ($self, $c) = @_; my $model = $c->stash->{model}; @@ -117,7 +117,7 @@ sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm { } } -sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm { +sub edit : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm { my ($self, $c, $id) = @_; my $model = $c->stash->{model}; my $attr = $c->model($model)->get_by_id($id); @@ -139,7 +139,7 @@ sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureFo } } -sub delete : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm { +sub delete : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm { my ($self, $c, $id) = @_; my $model = $c->stash->{model}; my $attr = $c->model($model)->get_by_id($id) diff --git a/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm b/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm index 7d02aa7bc00..1a90949e86d 100644 --- a/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm +++ b/t/lib/t/MusicBrainz/Server/Controller/Attributes/Delete.pm @@ -30,7 +30,10 @@ test 'Delete standard attribute (series type)' => sub { $test->mech->get('/logout'); $test->mech->get('/login'); $test->mech->submit_form( - with_fields => { username => 'admin', password => 'password' }, + with_fields => { + username => 'relationship_editor', + password => 'password', + }, ); $mech->get('/attributes/SeriesType/delete/1'); @@ -93,7 +96,10 @@ test 'Delete language' => sub { $test->mech->get('/logout'); $test->mech->get('/login'); $test->mech->submit_form( - with_fields => { username => 'admin', password => 'password' }, + with_fields => { + username => 'relationship_editor', + password => 'password', + }, ); $mech->get_ok('/attributes/Language/delete/120'); @@ -156,7 +162,10 @@ test 'Delete script' => sub { $test->mech->get('/logout'); $test->mech->get('/login'); $test->mech->submit_form( - with_fields => { username => 'admin', password => 'password' }, + with_fields => { + username => 'relationship_editor', + password => 'password', + }, ); $mech->get_ok('/attributes/Script/delete/28'); diff --git a/t/sql/attributes.sql b/t/sql/attributes.sql index ebdf4022999..76cc2e0b0e1 100644 --- a/t/sql/attributes.sql +++ b/t/sql/attributes.sql @@ -11,8 +11,8 @@ INSERT INTO editor ( id, name, password, ha1, email, email_confirm_date, privs) VALUES ( - 2, 'admin', '{CLEARTEXT}password', '3a115bc4f05ea9856bd4611b75c80bca', - 'foo@example.com', now(), 128); + 2, 'relationship_editor', '{CLEARTEXT}password', + '3a115bc4f05ea9856bd4611b75c80bca', 'foo@example.com', now(), 8); -- Release for language and script usage INSERT INTO artist (