Bug #13169
Editors and translators should be able to access the physical storage module
| Status: | Verified | Start date: | 09/10/2019 | |
|---|---|---|---|---|
| Priority: | Medium | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | User management | |||
| Target version: | Release 2.5.3 | |||
| Google Code Legacy ID: | Tested version: | 2.5 | ||
| Sponsored: | No | Requires documentation: | Yes |
Description
In the 2.4 release, we discovered some inconsistencies in the default permissions, and that authenticated users who were not part of any group could access modules they should not be able to view. We corrected many of these in issue #11075.
However, in that fix, we implemented too extreme a solution, allowing only administrators to view the physical storage module. There are many cases where Editors may need access, and local translators may also need to add translated container names.
It turns out that the default permissions are contained in a configurable YAML file, located here:
This fix will change the default permissions so that:
- Administrators, Contributors, Editors, and Translators can view physical storage records (via link or direct URL)
- Administrators, Editors, and Translators can browse and edit physical storage records
- Administrators and Editors can delete physical storage records
For any users who wish to restrict these permissions further, they can make local edits to the YAML file listed above.
Related issues
History
#1 Updated by Dan Gillean 9 months ago
- Status changed from New to Code Review
- Assignee changed from Dan Gillean to David Juhasz
PR for CR: https://github.com/artefactual/atom/pull/966
#2 Updated by David Juhasz 9 months ago
- Assignee changed from David Juhasz to Dan Gillean
I've requested a change on the PR. :)
#3 Updated by Dan Gillean 9 months ago
- Description updated (diff)
#5 Updated by David Juhasz 9 months ago
- Assignee changed from David Juhasz to Dan Gillean
Dan, back to you with Round 2 of feedback. :)
#6 Updated by Dan Gillean 9 months ago
- Description updated (diff)
- Assignee changed from Dan Gillean to David Juhasz
#7 Updated by Dan Gillean 9 months ago
- Description updated (diff)
- Status changed from Code Review to Verified
- Assignee deleted (
David Juhasz)
Merged into 2.6 in: https://github.com/artefactual/atom/commit/378a77feb80ea9040ad4057fe1388dc6d552a7b3
This was also cherry-picked to stable/2.5.x in: https://github.com/artefactual/atom/commit/819666542f504e978907ad64bc6bdff718c22f36
However, since it was not included in the 2.5.2 tarball and we currently have no plans to make a 2.5.3 release before 2.6 is available, I'm leaving the Target version set to 2.6 for this one.
#8 Updated by Dan Gillean 8 months ago
- Target version changed from Release 2.6.0 to Release 2.5.3
#9 Updated by Dan Gillean 7 months ago
- Related to Bug #11075: Authenticated users can access browse pages and functionality that should be restricted to groups added