Details
-
Bug
-
Resolution: Fixed
-
High
-
5.1, 5.2-dev
-
Server OS: Red Hat 6.4
PHP: 5.3.3
Database: MySQL 5.1.61
Browser: Firefox 20
Description
In RoleService the method RemovePolicy has 2 parameters, a role and a policy, but if you send a policy that doesn't belong to that role it will be removed from the respective role.
Steps to reproduce: [Public API] 1 - Create new role: identifier: Role 2 - add a policy to "Role": module: content function: read 3 - create new role: identifier: Test 4 - add a policy to "Test" module: content function: edit 5 - load policy from the "Test" role 6 - call $repository->getRoleService()->removePolicy( <Role> , <Test role policy> ) [admin interface] 7 - verify that the "Role" still have it's policy 8 - verify that the "Test" doesn't have any policy
From the inputs of method and the comments on the function the policy shouldn't be removed from any other role besides the input one.