Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21235

API: user cannot have permissions to edit just himself, the limitation owner(self) is broken

    XMLWordPrintable

    Details

      Description

      if a role is created to allow a user edit only the self, those permissions fail on the API. any policy that includes the owner(self) will fail on the API

      • create some user outside any group
      • create a role with policies:
        content edit Class( User )
        content read Class( User )
        content versionread Class( User )
      • attach the role to the created user
      • using a test command just like the one linked below, update a test user
      • in the admin backend change policy to:
        content read Class( User ), Owner( Self )
      • update again, this time a permission exception will be thrown.

      change back the policy without owner(self), run command to update the user. any other user will be able to update the target user too. so, since the owner limitation is broken, the minimum policy set that works will allow any user to edit another one.

      test command here: https://gist.github.com/pbras/5999236

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            paulo.bras-obsolete@ez.no Paulo Bras (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 7 hours, 15 minutes
                1d 7h 15m