Bug #2931

Non-privileged user can't delete authorization tokens.

Added by Peter Amstutz over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Story points:
1.0

Description

Under the following conditions
  • A link exists in the database with head_uuid=null and link_class='permission', owned by (say) admin
  • Non-admin user creates an ApiClientAuthorization (e.g., with the "share" button on the Workbench "show collection" page)
  • Non-admin user deletes the ApiClientAuthorization (e.g., "unshare")

Result: Permission denied. "dependent: destroy" hook tries to delete all links with head_uuid=null.

Associated revisions

Revision c7ee5e02 (diff)
Added by Tom Clegg over 6 years ago

2931: Remove {dependent: :destroy} in ArvadosModel. HasUuid does that now. closes #2931

History

#1 Updated by Tom Clegg over 6 years ago

  • Description updated (diff)

#2 Updated by Tom Clegg over 6 years ago

  • Subject changed from Workbench can't delete authorization tokens used by "share" button. to Non-privileged user can't delete authorization tokens.
  • Assigned To set to Tom Clegg

#3 Updated by Tom Clegg over 6 years ago

  • Description updated (diff)

#4 Updated by Anonymous over 6 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Applied in changeset arvados|commit:c7ee5e02cae78d3edff6ed393d776c4995441896.

#5 Updated by Ward Vandewege over 6 years ago

  • Story points set to 1.0

Also available in: Atom PDF