Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21235

API: user cannot have permissions to edit just himself, the limitation owner(self) is broken

    XMLWordPrintable

Details

    Description

      if a role is created to allow a user edit only the self, those permissions fail on the API. any policy that includes the owner(self) will fail on the API

      • create some user outside any group
      • create a role with policies:
        content edit Class( User )
        content read Class( User )
        content versionread Class( User )
      • attach the role to the created user
      • using a test command just like the one linked below, update a test user
      • in the admin backend change policy to:
        content read Class( User ), Owner( Self )
      • update again, this time a permission exception will be thrown.

      change back the policy without owner(self), run command to update the user. any other user will be able to update the target user too. so, since the owner limitation is broken, the minimum policy set that works will allow any user to edit another one.

      test command here: https://gist.github.com/pbras/5999236

      Attachments

        Activity

          People

            Unassigned Unassigned
            paulo.bras-obsolete@ez.no Paulo Bras (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 7 hours, 15 minutes
                1d 7h 15m