Changes between Initial Version and Version 1 of Ticket #11069, comment 12
- Timestamp:
- Aug 20, 2013, 5:47:21 AM (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #11069, comment 12
initial v1 19 19 anonymous = 20 20 }}} 21 users with `MILESTONE_VIEW` and `TICKET_ADMIN` will currently still see all milestones. I don't really want to try to fix this issue in this ticket, but thinking about it and experimenting has me questioning now whether my other changes are implemented correctly.21 users with `MILESTONE_VIEW` and `TICKET_ADMIN` for `admin:ticket/milestones` will currently still see all milestones. I don't really want to try to fix this issue in this ticket, but thinking about it and experimenting has me questioning now whether my other changes are implemented correctly. 22 22 23 23 You can see from my previous changes, that for controlling access to `/admin/ticket/milestone` I've treated `admin` as the "realm" and `ticket/milestone` as the "resource id" when doing permission checks with a `PermissionCache` object: `'MILESTONE_VIEW' in perm('admin', 'ticket/milestones')`. Suppose though that we want to control the milestones listed on the `/admin/ticket/milestones` page. Should the permission check be `'MILESTONE_VIEW' in perm(milestone.resource)` so that a policy like the one shown above would restrict access? Or should the permission check be `'MILESTONE_VIEW' in perm('admin', 'ticket/admin/' + milestone.name)`, so that a permission policy like the following would restrict access?