Project

General

Profile

Actions
Copy link

Bug #2931

closed

Non-privileged user can't delete authorization tokens.

Added by Peter Amstutz over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Tom Clegg
Category:
-
Target version:
2014-06-17 Curating and Crunch
Story points:
1.0

Description

Under the following conditions
  • A link exists in the database with head_uuid=null and link_class='permission', owned by (say) admin
  • Non-admin user creates an ApiClientAuthorization (e.g., with the "share" button on the Workbench "show collection" page)
  • Non-admin user deletes the ApiClientAuthorization (e.g., "unshare")

Result: Permission denied. "dependent: destroy" hook tries to delete all links with head_uuid=null.

Actions
Copy link

Also available in: Atom PDF