MantisBT - v3.0 Release
View Issue Details
0001237v3.0 Release[All Projects] Generalpublic2012-12-30 23:462013-08-28 11:17
Reportersasquatch58 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001237: Not possible to delete assigned User Permission
Descriptionw2p git 97669153748c28422b774b6da6bfb314557d77a5
The delete button is no longer accessible in the User Permissions (http://x.y.a.b/w2pV3/index.php?m=admin&a=viewuser&user_id=2&tab=1
You can add specific permissions for a user but can't delete them.
Works fine under V2.31 and V2.4 but not V3
Ubuntu 12.04 server, WinXP / Firefox client
TagsNo tags attached.
related to 0001284closed caseydk FIX: Unworkable user permissions. Related to 0001237 
Attached Files

Notes
(0002761)
caseydk   
2012-12-31 23:42   
Resolved and already merged to master:
https://github.com/caseysoftware/web2project/commit/93084601fa47f26d786977da4a98ecb7b99befee
(0002762)
sasquatch58   
2013-01-01 00:31   
A quick test with latest git pull.93084601fa47f26d786977da4a98ecb7b99befee
Problem is no added permissions are visible but are added in the database & confirmed in System Admin/ Users permission Information .
Can't see them and can't delete them.

(0002803)
sasquatch58   
2013-02-28 12:14   
Still an issue with Web2project V3.0-pre
Git version 3186736eec00dcf27b004f8f886813ffe0fc7888
To recap:
Can set the specific permission for a user, this status shows in the System/View Users Permissions.
Cannot delete the modified permission from User Admin/ Permissions tab as the modified permission is not visible in the LHS column.
Functional in V2.31 (w2p demo site), not functional under V3.0-pre
(0002906)
sasquatch58   
2013-05-23 01:22   
Dropped all tables and regenerated w2p from latest git version df02a7ad3589a07ee97c74c7801145e733dd28b2 just in case previous (my) changes had broken things. So with new install and freshly created User:

Changed user permissions to deny adding a link - all worked OK except that the modified permission wasn't shown on the user permissions view but was shown in the system_acls_view.

Tried to add this permission back & got this message at top of screen
"acl_query(): ACO Section: application ACO Value: delete ARO Section: user ARO Value 3 ACL ID: 31 Result: 1"
and permission (deny) left unchanged.

=> this function is still broken
(0002932)
caseydk   
2013-06-02 23:46   
Resolved very similar to the solution described in 0001284:
https://github.com/web2project/web2project/commit/112a100f9a814214f64c3f1ed6f0a399f54b98ea
(0002939)
sasquatch58   
2013-06-07 01:23   
Testing with git commit/b94ac1dd6dc98eea1f2f21c7a7f5e397732921fe
I can now see the amended permission but have no means of deleting it (x) is still missing.
Also, in the test I did, I added a deny on link edit and the link topic was removed from the dropdown menu so no other modifications could be done to the link permissions.
(0002940)
caseydk   
2013-06-07 08:02   
That behavior is exactly as designed.

If you deny someone (including yourself) access to the Links module, they will be denied access to *anything* related to the Links module.

While this may seem odd, it's particularly important to prevent privilege escalation. I'm not going to describe the details here as this is still an issue in pre-3.0 releases.

Issue History
2012-12-30 23:46sasquatch58New Issue
2012-12-31 23:42caseydkNote Added: 0002761
2012-12-31 23:42caseydkStatusnew => resolved
2012-12-31 23:42caseydkResolutionopen => fixed
2012-12-31 23:42caseydkAssigned To => caseydk
2013-01-01 00:31sasquatch58Note Added: 0002762
2013-01-01 00:31sasquatch58Statusresolved => feedback
2013-01-01 00:31sasquatch58Resolutionfixed => reopened
2013-01-01 00:31sasquatch58Note Edited: 0002762
2013-02-28 12:14sasquatch58Note Added: 0002803
2013-05-23 01:22sasquatch58Note Added: 0002906
2013-06-02 23:39caseydkRelationship addedrelated to 0001284
2013-06-02 23:46caseydkNote Added: 0002932
2013-06-02 23:46caseydkStatusfeedback => resolved
2013-06-02 23:46caseydkResolutionreopened => fixed
2013-06-07 01:24sasquatch58Note Added: 0002939
2013-06-07 01:24sasquatch58Statusresolved => feedback
2013-06-07 01:24sasquatch58Resolutionfixed => reopened
2013-06-07 08:02caseydkNote Added: 0002940
2013-06-07 08:02caseydkStatusfeedback => resolved
2013-06-07 08:02caseydkResolutionreopened => fixed
2013-08-28 11:14caseydkFixed in Version => 3.0.0
2013-08-28 11:17caseydkStatusresolved => closed