-
Notifications
You must be signed in to change notification settings - Fork 982
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #29445 - restrict STI deletion to admin #7694
Conversation
When obsolete STI records deletion was introduced, we allowed even non-admin users to delete that. This patch makes it possible only for admins to delete records from the database. Non-admin users only see a short message explaining what happened, that they should contact administrator and request ID that can help administrator to figure out what happened. It was also necessary to add explicit require_login call, otherwise User.current was nil in case the stack failed before user was loaded. This also made the page looks much nicer, becase the menu can be properly rendered.
Issues: #29445 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't test but conceptually lgtm.
<br><br> | ||
<%= link_to _('Delete'), '?confirm_data_deletion=yes', class: 'btn btn-danger', data: { confirm: _('The data deletion can not be undone, are you sure you want to proceed?') } %> | ||
<% else %> | ||
<%= (_('Please contact your administrator, the request id for finding the logs: "%s"') % request.uuid) %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested with a non-admin user. looks like since the error is captured, there is actually nothing in the log.
Also, this prints a full uuid, but at least for file-based logging we only log the first 8 characters of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved, see the new commit for the solution, I only display that for non-admin users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ares !
When obsolete STI records deletion was introduced, we allowed even non-admin users to delete that. This patch makes it possible only for admins to delete records from the database. Non-admin users only see a short message explaining what happened, that they should contact administrator and request ID that can help administrator to figure out what happened. It was also necessary to add explicit require_login call, otherwise User.current was nil in case the stack failed before user was loaded. This also made the page looks much nicer, becase the menu can be properly rendered. (cherry picked from commit f44a335)
2.1 - 693f8f7 |
When obsolete STI records deletion was introduced, we allowed even
non-admin users to delete that. This patch makes it possible only for
admins to delete records from the database. Non-admin users only see a
short message explaining what happened, that they should contact
administrator and request ID that can help administrator to figure out
what happened.
It was also necessary to add explicit require_login call, otherwise
User.current was nil in case the stack failed before user was loaded.
This also made the page looks much nicer, becase the menu can be
properly rendered.
For the reviewer - under admin account
non-admin account
to reproduce, install a plugin, e.g. discovery, change some discovery setting and then comment it in Gemfile. After server restart, enter setting page under non-admin user. You shouldn't be able to delete records even if you know the magic parameter. Pinging @tbrisker as he was who pointed this weakness out.