Edgewall Software

Changes between Initial Version and Version 1 of Ticket #11069, comment 12


Ignore:
Timestamp:
Aug 20, 2013, 5:47:21 AM (6 years ago)
Author:
Ryan J Ollos

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #11069, comment 12

    initial v1  
    1919anonymous =
    2020}}}
    21 users with `MILESTONE_VIEW` and `TICKET_ADMIN` will currently still see all milestones. I don't really want to try to fix this issue in this ticket, but thinking about it and experimenting has me questioning now whether my other changes are implemented correctly.
     21users with `MILESTONE_VIEW` and `TICKET_ADMIN` for `admin:ticket/milestones` will currently still see all milestones. I don't really want to try to fix this issue in this ticket, but thinking about it and experimenting has me questioning now whether my other changes are implemented correctly.
    2222
    2323You can see from my previous changes, that for controlling access to `/admin/ticket/milestone` I've treated `admin` as the "realm" and `ticket/milestone` as the "resource id" when doing permission checks with a `PermissionCache` object: `'MILESTONE_VIEW' in perm('admin', 'ticket/milestones')`. Suppose though that we want to control the milestones listed on the `/admin/ticket/milestones` page. Should the permission check be `'MILESTONE_VIEW' in perm(milestone.resource)` so that a policy like the one shown above would restrict access? Or should the permission check be `'MILESTONE_VIEW' in perm('admin', 'ticket/admin/' + milestone.name)`, so that a permission policy like the following would restrict access?