Closed (fixed)
Project:
Project
Version:
5.x-1.x-dev
Component:
Releases
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
4 Sep 2007 at 21:11 UTC
Updated:
27 Oct 2007 at 00:21 UTC
Jump to comment: Most recent file
Comments
Comment #1
dwwi could have sworn this was all working as expected not long ago. i wonder if i just managed to overlook this in my testing due to role/permission confusion, or if something introduced a regression. guess we'll just have to debug it and find out.
Comment #2
hunmonk commentedit works for the release overview page, where project_check_admin_access($project) is properly called. however, there is no access check like this for viewing individual nodes. attached patch adds that check to project_release_access() 'view' op.
Comment #3
dwwThanks for the diagnosis, sounds right. This patch looks ok to me. However, here's an alternative:
project_project_access() could check for project admin access in the $op 'view' case. Given the "CVS access makes you a maintainer" thing, that seems like what you'd expect, e.g. on sites that only allow "access own projects" permission -- if someone gave you CVS access to a project, you should be treated as if it's your "own", too. That'd keep project_release_access() simple and sharing the identical logic with project_project_access(), which is nice. And, that seems more consistent with the other "once you have CVS access it's like you own the project" behavior, though I'll agree it's not so consistent with other permissions regarding your "own" nodes.
If you object to this approach, then your patch is RTBC.
Comment #4
hunmonk commentedyeah, that approach seems most sensible. attached should handle it. i considered removing the
if (user_access('access own projects') && $node->uid == $user->uid) {check in that function as well, but it looks like project_check_admin_access() requires 'maintain projects' perm to allow viewing in the case of being the node owner, so i guess this patch i have provides the most consitency with the least amount of code change.Comment #5
dwwYup, that's great. Thanks.
Comment #6
hunmonk commentednot quite. project_check_admin_access() needs the project node, not the release node :)
attached tests for the node type, and loads the project if it's not a project_project type. tested this, and it works to solve this specific bug, and i don't think it will introduce any regressions.
Comment #7
dwwI think this is a more straight-forward way to do this. I don't care that it slightly changes the semantics of who can view projects in these weird edge-cases. ;)
Comment #8
hunmonk commentedsame effect. a bit simpler.
Comment #9
dwwMaybe this is even better... We can only assume
$node->pidis what we think it is if it's a 'project_release' node. Instead of double negative, let's express this explicitly.Comment #10
hunmonk commentedi think we've split enough hairs here :)
tested and committed the latest patch.
Comment #11
(not verified) commented