Description
Multiple views that should be restricted from Viewer-role users currently allow access. The Viewer role is intended to be read-only, but several action-oriented views don't enforce this restriction.
Spec Sections: S2.10, S10C (US-VW, US-MB viewer restrictions)
Severity: MEDIUM — permissions are too permissive
Gaps
- Drafts queue — Viewers can access
/drafts/ (should be 403)
- My borrowed items — Viewers can access
/my-borrowed/ (should be 403)
- Asset label page — Viewers can access
/assets/<pk>/label/ (should be 403)
- Hold list create — Viewers can access
/hold-lists/create/ (should be 403)
- Export — Viewers cannot export assets (spec says they SHOULD be able to, S10C US-VW-005)
Xfail Test Coverage
| File |
Test |
Reason |
test_member_viewer.py |
TestUS_MB_002::test_viewer_cannot_access_drafts_queue |
Viewer permission not enforced on drafts_queue |
test_member_viewer.py |
TestUS_MB_010::test_viewer_cannot_access_my_borrowed_items |
Viewer permission not enforced on my_borrowed_items |
test_member_viewer.py |
TestUS_MB_014::test_viewer_cannot_access_label_page |
Viewer permission not enforced on asset_label |
test_member_viewer.py |
TestUS_MB_016::test_viewer_can_also_export |
Viewers cannot export assets (US-MB-016) |
test_member_viewer.py |
TestUS_MB_022::test_viewer_cannot_create_hold_list |
Viewer permission not enforced on holdlist_create |
test_member_viewer.py |
TestUS_VW_005::test_viewer_can_export_assets |
Viewers cannot export assets (US-VW-005) |
Branch: feature/test-reorganisation-and-functional-suite (PR #37)
Description
Multiple views that should be restricted from Viewer-role users currently allow access. The Viewer role is intended to be read-only, but several action-oriented views don't enforce this restriction.
Spec Sections: S2.10, S10C (US-VW, US-MB viewer restrictions)
Severity: MEDIUM — permissions are too permissive
Gaps
/drafts/(should be 403)/my-borrowed/(should be 403)/assets/<pk>/label/(should be 403)/hold-lists/create/(should be 403)Xfail Test Coverage
test_member_viewer.pyTestUS_MB_002::test_viewer_cannot_access_drafts_queuedrafts_queuetest_member_viewer.pyTestUS_MB_010::test_viewer_cannot_access_my_borrowed_itemsmy_borrowed_itemstest_member_viewer.pyTestUS_MB_014::test_viewer_cannot_access_label_pageasset_labeltest_member_viewer.pyTestUS_MB_016::test_viewer_can_also_exporttest_member_viewer.pyTestUS_MB_022::test_viewer_cannot_create_hold_listholdlist_createtest_member_viewer.pyTestUS_VW_005::test_viewer_can_export_assetsBranch:
feature/test-reorganisation-and-functional-suite(PR #37)