Bug #5658
Review permission checking in the manager
Statut:
Rejeté
Priorité:
Normal
Assigné à:
-
Catégorie:
-
Version cible:
-
Début:
09 octobre 2014
Echéance:
% réalisé:
0%
Temps estimé:
Patch proposed:
Non
Planning:
Description
- Listing views and edit views should be accessible if any of change, add or delete is available, a new decorator should be used with the signature
any_permission_required(model_name, raise_exception=False)
. - Edit views should return Http403 on POST if change permission is unavailable, and not on any access
- Buttons to delete should be disabled if delete is unavailable, a tooltip must be added stating the permission is missing from the user
- Buttons to add should be disabled if add is unavailable, a tooltip must be added stating the permission is missing from the user
- Edit form on user and roles should be disabled if change permission on roles or users is not available and a message should be displayed
- Add user to role form should be disabled if change permission on roles is unavailable
Demandes liées
Historique
Mis à jour par Benjamin Dauvergne il y a environ 9 ans
- Statut changé de Nouveau à Rejeté
It will be done as part of the new work on access control and RBAC.
Mis à jour par Benjamin Dauvergne il y a environ 9 ans
- Lié à Development #751: Improve the manager based on RBAC ajouté