MH-12989 Add missing roles for actions->edit scheduled #338
Conversation
krinnewitz
force-pushed
the
t/MH-12989-non-admin-users-cannot-use-actions-edit-scheduled-events
branch
2 times, most recently
from
23ac074
to
92e31d5
Compare
krinnewitz
changed the title
gregorydlogan
added
enhancement
maintenance
etc/security/mh_default_org.xml
Outdated
| @@ -125,10 +126,12 @@ | |||
| <sec:intercept-url pattern="/services/sanitize" method="POST" access="ROLE_ADMIN, ROLE_UI_SERVICES_STATUS_EDIT" /> | |||
| <sec:intercept-url pattern="/staticfiles" method="POST" access="ROLE_ADMIN, ROLE_UI_THEMES_CREATE, ROLE_UI_THEMES_EDIT" /> | |||
| <sec:intercept-url pattern="/admin-ng/acl" method="POST" access="ROLE_ADMIN, ROLE_UI_ACLS_CREATE" /> | |||
| <sec:intercept-url pattern="/admin-ng/event/bulk/conflicts" method="POST" access="ROLE_ADMIN, ROLE_UI_EVENTS_DETAILS_SCHEDULING_VIEW" /> | |||
There was a problem hiding this comment.
Where would you need a conflict check when you only have read access to that dialog. Should this maybe be ROLE_UI_EVENTS_DETAILS_SCHEDULING_EDIT?
There was a problem hiding this comment.
It is a read request that uses HTTP POST because a parameter is a potentially large list of event IDs that could cause problems then using a GET request because of length limitations of query parameters.
I agree that this requires somebody looking at this line to know about the implementation which should not be necessary...
Should I add a comment? I could also just change it to a *_EDIT role.
What do you think?
There was a problem hiding this comment.
@krinnewitz Could you please change to ROLE_UI_EVENTS_DETAILS_SCHEDULING_EDIT here? @lkiesow seems right as conflict check will only be needed if you can edit scheduled events.
For Actions -> Edit Scheduled Events, a POST request to event/scheduling.json is sent. Even though a POST request is used, this is a read-only action. So an _VIEW role is used. The same applies for event/bulk/conflicts and event/bulk/update (needs write-access).
krinnewitz
force-pushed
the
t/MH-12989-non-admin-users-cannot-use-actions-edit-scheduled-events
branch
from
92e31d5
to
9aee2ea
Compare
…duled-events' of plapadoo/opencast into develop Pull request #338 MH-12989 Add missing roles for actions->edit scheduled
|
Thanks for fixing this → merged |
For Actions -> Edit Scheduled Events, a POST request to
event/scheduling.json is sent. Even though a POST request is used, this
is a read-only action. So an _VIEW role is used.
The same applies for event/bulk/conflicts and event/bulk/update
(needs write-access).
This work is sponsored by SWITCH.