You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
marthamareal opened this issue
Apr 15, 2022
· 0 comments
Assignees
Labels
4.0.xAPI v2majorA high priority issue which might affect a lot of people or large parts of the codebasemastersecurityPull requests that address a security vulnerability
Users in groups with manage permissions should be able to access API /api/v2/resources/{resource_id}/permissions
Actual Behavior
403 is returned when a user in a group that has Manage permissions on a resource accesses /api/v2/resources/{resource_id}/permissions
This is because the API considers permission class IsOwnerOrAdmin here which uses get_users_with_perms, Note: this should also check for users in groups with manage permissions.
Steps to Reproduce the Problem
as an admin, Select a resource and share it with a group with managers, and assign Manage permission and save
Access the resource permissions api /api/v2/resources/{resource_id}/permissions as a member in the above group
The text was updated successfully, but these errors were encountered:
marthamareal
changed the title
Permissions API return 403 on users with manage permisions
Permissions API return 403 on users in groups with manage permission on a resource
Apr 15, 2022
…ge permission on a resource (#9117)
* [Fixes#9106] Implement API for compact permissions
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [Fixes#9116] Permissions API return 403 on users in groups with manage permission on a resource
…ge permission on a resource (#9117) (#9127)
* [Fixes#9106] Implement API for compact permissions
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [CircleCi] Fix tests
* [Fixes#9116] Permissions API return 403 on users in groups with manage permission on a resource
Co-authored-by: Alessio Fabiani <alessio.fabiani@geo-solutions.it>
4.0.xAPI v2majorA high priority issue which might affect a lot of people or large parts of the codebasemastersecurityPull requests that address a security vulnerability
Expected Behavior
Users in groups with manage permissions should be able to access API
/api/v2/resources/{resource_id}/permissions
Actual Behavior
403 is returned when a user in a group that has Manage permissions on a resource accesses
/api/v2/resources/{resource_id}/permissions
This is because the API considers permission class IsOwnerOrAdmin here which uses get_users_with_perms, Note: this should also check for users in groups with manage permissions.
Steps to Reproduce the Problem
/api/v2/resources/{resource_id}/permissions
as a member in the above groupSpecifications
The text was updated successfully, but these errors were encountered: