Project

General

Profile

Actions

Bug #18865

closed

Regular users cannot read, update or delete permission links pointing to objects they can_manage that are not users or groups

Added by Peter Amstutz almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Story points:
-
Release relationship:
Auto

Description

The fix in #18164 to make permission links correctly visible through the "links" API was incomplete.

It assumes that the head_uuid is always in the permission table.

This is correct for users and groups, which are listed exhaustively in the permission table.

If you own another type of object (like a collection) and create a permission link to it, under the current query logic you will not be able to see the permission link. That is because no explicit row exists for the owner group to the collection, the can_manage permission is implied.

The query logic needs to somehow incorporate a check for can_manage on the owner_uuid where target_uuid is not a user or group.

(This is annoying because it's probably going to require another table join).

Start by writing a test case.


Subtasks 1 (0 open1 closed)

Task #18875: Review 18865-collection-permission-linksResolvedPeter Amstutz03/23/2022Actions
Actions

Also available in: Atom PDF