Anonymous Login
2019-10-15 12:27 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001237v3.0 Release[All Projects] Generalpublic2013-08-28 11:17
Reportersasquatch58 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001237: Not possible to delete assigned User Permission
Descriptionw2p git 97669153748c28422b774b6da6bfb314557d77a5
The delete button is no longer accessible in the User Permissions (http://x.y.a.b/w2pV3/index.php?m=admin&a=viewuser&user_id=2&tab=1
You can add specific permissions for a user but can't delete them.
Works fine under V2.31 and V2.4 but not V3
Ubuntu 12.04 server, WinXP / Firefox client
TagsNo tags attached.
Attached Files

-Relationships
related to 0001284closedcaseydk FIX: Unworkable user permissions. Related to 0001237 
+Relationships

-Notes

~0002761

caseydk (administrator)

Resolved and already merged to master:
https://github.com/caseysoftware/web2project/commit/93084601fa47f26d786977da4a98ecb7b99befee

~0002762

sasquatch58 (reporter)

Last edited: 2013-01-01 00:31

A quick test with latest git pull.93084601fa47f26d786977da4a98ecb7b99befee
Problem is no added permissions are visible but are added in the database & confirmed in System Admin/ Users permission Information .
Can't see them and can't delete them.

~0002803

sasquatch58 (reporter)

Still an issue with Web2project V3.0-pre
Git version 3186736eec00dcf27b004f8f886813ffe0fc7888
To recap:
Can set the specific permission for a user, this status shows in the System/View Users Permissions.
Cannot delete the modified permission from User Admin/ Permissions tab as the modified permission is not visible in the LHS column.
Functional in V2.31 (w2p demo site), not functional under V3.0-pre

~0002906

sasquatch58 (reporter)

Dropped all tables and regenerated w2p from latest git version df02a7ad3589a07ee97c74c7801145e733dd28b2 just in case previous (my) changes had broken things. So with new install and freshly created User:

Changed user permissions to deny adding a link - all worked OK except that the modified permission wasn't shown on the user permissions view but was shown in the system_acls_view.

Tried to add this permission back & got this message at top of screen
"acl_query(): ACO Section: application ACO Value: delete ARO Section: user ARO Value 3 ACL ID: 31 Result: 1"
and permission (deny) left unchanged.

=> this function is still broken

~0002932

caseydk (administrator)

Resolved very similar to the solution described in 0001284:
https://github.com/web2project/web2project/commit/112a100f9a814214f64c3f1ed6f0a399f54b98ea

~0002939

sasquatch58 (reporter)

Testing with git commit/b94ac1dd6dc98eea1f2f21c7a7f5e397732921fe
I can now see the amended permission but have no means of deleting it (x) is still missing.
Also, in the test I did, I added a deny on link edit and the link topic was removed from the dropdown menu so no other modifications could be done to the link permissions.

~0002940

caseydk (administrator)

That behavior is exactly as designed.

If you deny someone (including yourself) access to the Links module, they will be denied access to *anything* related to the Links module.

While this may seem odd, it's particularly important to prevent privilege escalation. I'm not going to describe the details here as this is still an issue in pre-3.0 releases.
+Notes

-Issue History
Date Modified Username Field Change
2012-12-30 23:46 sasquatch58 New Issue
2012-12-31 23:42 caseydk Note Added: 0002761
2012-12-31 23:42 caseydk Status new => resolved
2012-12-31 23:42 caseydk Resolution open => fixed
2012-12-31 23:42 caseydk Assigned To => caseydk
2013-01-01 00:31 sasquatch58 Note Added: 0002762
2013-01-01 00:31 sasquatch58 Status resolved => feedback
2013-01-01 00:31 sasquatch58 Resolution fixed => reopened
2013-01-01 00:31 sasquatch58 Note Edited: 0002762
2013-02-28 12:14 sasquatch58 Note Added: 0002803
2013-05-23 01:22 sasquatch58 Note Added: 0002906
2013-06-02 23:39 caseydk Relationship added related to 0001284
2013-06-02 23:46 caseydk Note Added: 0002932
2013-06-02 23:46 caseydk Status feedback => resolved
2013-06-02 23:46 caseydk Resolution reopened => fixed
2013-06-07 01:24 sasquatch58 Note Added: 0002939
2013-06-07 01:24 sasquatch58 Status resolved => feedback
2013-06-07 01:24 sasquatch58 Resolution fixed => reopened
2013-06-07 08:02 caseydk Note Added: 0002940
2013-06-07 08:02 caseydk Status feedback => resolved
2013-06-07 08:02 caseydk Resolution reopened => fixed
2013-08-28 11:14 caseydk Fixed in Version => 3.0.0
2013-08-28 11:17 caseydk Status resolved => closed
+Issue History