Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabled project edits, results and updates are still accessable in myRSR through URL manipulation #2149

Closed
damienallen opened this issue May 9, 2016 · 1 comment
Closed

Disabled project edits, results and updates are still accessable in myRSR through URL manipulation #2149

damienallen opened this issue May 9, 2016 · 1 comment
Assignees
@damienallen
Labels
Bug Quick Fix Type: MyRSR
Milestone
3.14 Riga

Comments

@damienallen
Copy link
Contributor

damienallen commented May 9, 2016
edited
Loading

Buttons for edits, results and updates in myRSR/My Projects are sometimes disabled for projects depending on their status (eg. unpublished or complete). However, these pages can still be accessed directly by URL. Thus, access to the following pages should be restricted (raise 403 forbidden) accordingly under the same circumstances:

http://rsr.localdev.akvo.org/en/myrsr/project_editor/5/
http://rsr.localdev.akvo.org/en/myrsr/results/5/
http://rsr.localdev.akvo.org/en/project/5/add_update/

To clarify, the project id (in bold) can be changed to access project pages which should be disabled. Note, exceptions should be made for superuser where appropriate.
@damienallen damienallen mentioned this issue May 9, 2016
Closed
@KasperBrandt KasperBrandt added this to the 3.14 Riga milestone May 18, 2016
damienallen added a commit that referenced this issue May 23, 2016
@damienallen
[Fixes #2149] Raise 403 when project/update/result editing is not all…
be2db58 
…owed
@damienallen damienallen mentioned this issue May 23, 2016
Merged
@damienallen
Copy link
Contributor Author

damienallen commented May 23, 2016
edited by KasperBrandt
Loading

Test plan

Try opening projects with 'completed' status, 'unpublished' status and with neither.

  • Completed: project editor, results and add update should raise 403
  • Unpublished: only results and add update should raise 403
  • Otherwise: no error should be raised

damienallen added a commit that referenced this issue May 23, 2016
@damienallen
[Fixes #2149] Fixed completed project title link
b24a1b6
damienallen added a commit that referenced this issue May 23, 2016
@damienallen
Merge branch '#2191-edit-updates' into #2149-edit-permission
8aecc4a
damienallen added a commit that referenced this issue May 23, 2016
@damienallen
[Fixes #2149] Merged PR for #2191 and allowed edit for existing updates
8e92e0c
KasperBrandt added a commit that referenced this issue May 23, 2016
@KasperBrandt
[#2149] Disallow superusers to post updates to unpublished projects
778c661
KasperBrandt added a commit that referenced this issue May 24, 2016
@KasperBrandt
Merge pull request #2201 from akvo/#2149-edit-permission
9210809 
[Fixes #2149 and #2191] Project editing permissions
@MichaelAkvo MichaelAkvo moved this to Done in RSR Dec 8, 2022
@MichaelAkvo MichaelAkvo added this to RSR Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@damienallen damienallen

Labels
Bug Quick Fix Type: MyRSR
Projects
RSR
Archived in project
Milestone
3.14 Riga
Development

No branches or pull requests
2 participants
@KasperBrandt @damienallen