Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.1
-
None
Description
if a role is created to allow a user edit only the self, those permissions fail on the API. any policy that includes the owner(self) will fail on the API
- create some user outside any group
- create a role with policies:
content edit Class( User )
content read Class( User )
content versionread Class( User )
- attach the role to the created user
- using a test command just like the one linked below, update a test user
- in the admin backend change policy to:
content read Class( User ), Owner( Self )
- update again, this time a permission exception will be thrown.
change back the policy without owner(self), run command to update the user. any other user will be able to update the target user too. so, since the owner limitation is broken, the minimum policy set that works will allow any user to edit another one.
test command here: https://gist.github.com/pbras/5999236