Project

General

Profile

Bug #18865

Updated by Peter Amstutz almost 2 years ago

The fix in #18164 to make permission links correctly visible through the "links" API was incomplete. 

 It assumes that the head_uuid is always in the permission table. 

 This is correct for users and groups, which are listed exhaustively in the permission table. 

 If you own another type of object (like a collection) and create a permission link to it, under the current query logic you will not be able to see the permission link.    That is because no explicit row exists for the owner group to the collection, the can_manage permission is implied. 

 The query logic needs to somehow incorporate a check for can_manage on the owner_uuid where target_uuid is not a user or group. 

 (This is annoying because it's probably going to require another table join). 

 Start by writing a test case. 

Back