Bug #9555

Wrong call to forwardUnauthorized in QubitAclSearch

Added by José Raddaoui Marín about 6 years ago. Updated about 6 years ago.

Status:VerifiedStart date:03/09/2016
Priority:MediumDue date:
Assignee:José Raddaoui Marín% Done:

0%

Category:Access Control
Target version:Release 2.3.0
Google Code Legacy ID: Tested version:2.0.0, 2.0.1, 2.1, 2.1.1, 2.1.2, 2.2, 2.3
Sponsored:No Requires documentation:

Description

QubitAcl class was divided in multiple classes, but one of the calls to the forwardUnauthorized method was left using self instead of the QubitAcl class in QubitAclSearch.

https://github.com/artefactual/atom/blob/qa/2.3.x/plugins/qbAclPlugin/lib/QubitAclSearch.class.php#L113

History

#2 Updated by José Raddaoui Marín about 6 years ago

  • Subject changed from Wrong call to forwardUnauthorized QubitAclSearch to Wrong call to forwardUnauthorized in QubitAclSearch

#3 Updated by José Raddaoui Marín about 6 years ago

  • Status changed from In progress to QA/Review
  • Assignee changed from José Raddaoui Marín to Nick Wilkinson

Fixed in 8074662

#4 Updated by Dan Gillean about 6 years ago

  • Assignee changed from Nick Wilkinson to Dan Gillean

Hey Radda,

Can you tell me a bit more about how I should be testing this issue? Or maybe what the steps were to reproduce it in the first place, so I can add that to the issue description, in case users in the forum come across this bug? Thanks!

#5 Updated by José Raddaoui Marín about 6 years ago

Hi Dan, sorry for the developer description. The issue was happening when the user didn't have read permissions over any of the resources in the authority records browse page. I've tried to reproduce it now and I've had to deny read permissions for all authority records and for all archival descriptions to be redirected to the login page instead of seeing the resources. This looks like another bug to me, so feel free to file another ticket if do you think that too.

#6 Updated by Sara Allain about 6 years ago

  • Assignee changed from Dan Gillean to José Raddaoui Marín

Denying an anonymous user read permissions on authority records results in the anon user encountering a login page when trying to view an authority record. I didn't have to deny the anon user view rights for archival descriptions. So - I think this is verified, based on the comments in the related ticket, but Radda, can you confirm that this is the desired behaviour?

#7 Updated by José Raddaoui Marín about 6 years ago

  • Assignee changed from José Raddaoui Marín to Sara Allain

Hi Sara, after denying read permissions on all authority records are you being redirected to the login page from the browse ath. records page?

#8 Updated by Sara Allain about 6 years ago

  • Assignee changed from Sara Allain to José Raddaoui Marín

Correct. An anonymous user who is denied read rights over authority records is redirected to a login page from the browse authority records page.

An authenticated user who is denied read rights over authority records is shown an error page ("Sorry, you do not have permission to access that page").

I think this is correct!

#9 Updated by Sara Allain about 6 years ago

  • Status changed from QA/Review to Verified

Also available in: Atom PDF