Closed Bug 1038144 Opened 10 years ago Closed 10 years ago

Display a message when user attempts to edit an event that they are not permitted to

Categories

(Webmaker Graveyard :: Events, defect)

Product:
Webmaker Graveyard
Component:
Events
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: melissa, Assigned: cade)

Details

(Whiteboard: [events] [july25])

Attachments

(1 file)

https://github.com/mozilla/webmaker-events-2/pull/163
53 bytes, text/x-github-pull-request
jon
: review+
Details | Review 
Patch needed: 
Event information can be changed via the source code if the user has the event code. This means Person A can change Organization B's event information without permission.
melissa: Can you explain this more? Maybe a URL, and steps to reproduce?
Group: websites-security
Flags: needinfo?(melissa)
Whiteboard: [events] → [events] [july25]
This is part of the email received from a partner (I've filed a separate bug about the edit/pencil icon)

"I was unable to find the pencil icon on my event page, however I went into the source code and found the edit link through there (I also noticed due to this, you are able to edit other people’s events with their event code)..."

From what I gather, she was able to edit her event through the source code, and realized that if you have the event code (provided in the URL given by events.wm.org) you could potentially change someone else's event. I haven't been able to reproduce.
Flags: needinfo?(melissa)
This sounds like an authorization bug in the edit code. I tried to reproduce it but ended up getting a "You are not authorized to edit this event" error on trying to submit the changes.

STR
1. Visit
https://events.webmaker.org/#!/edit/4113
2. Change fields
3. Click "Save Changes"

Results
You see the edit page for my event, but are unable to change anything

I will have to look at the workflow when using an intercepting proxy, but from the sounds of it, this is more of a UI/UX bug. The information displayed for the event should already be public from visiting the regular event page.
Yeah, that sounds about right. We can just change the UX to see if the currently logged-in user is able to edit the event or not.
Group: websites-security
Summary: Other event posts can be accessed/change via source code → Improve UX around attempting to edit other users events
Component: Maker Party → Events
jbuck can you help edit the title of this bug for clarity around what needs to happen? I'm not sure I'm following as to whether this is a technical or a design bug.
Flags: needinfo?(jbuck)
* Is this still needed?
Flags: needinfo?(melissa)
Nope. I haven't heard back from the original commenter, and I believe this was user-confusion (not quite error) in the end. Thanks for looking into it!
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(melissa)
Resolution: --- → INVALID
Flags: needinfo?(jbuck) → needinfo?(jon)
It's user confusion, and we can make it better!

Basically, display a message like "This account does not have permission to edit this event" when the user editing the event is not an organizer, co-organizer, or admin.
Assignee: nobody → cade
Status: RESOLVED → REOPENED
Flags: needinfo?(jon)
Resolution: INVALID → ---
Summary: Improve UX around attempting to edit other users events → Display a message when user attempts to edit an event that they are not permitted to
Status: REOPENED → ASSIGNED
Comment on attachment 8462773 [details] [review]
https://github.com/mozilla/webmaker-events-2/pull/163

Looks good, but lets clean this up with an isEditable fn
Attachment #8462773 - Flags: review?(jon) → review-
Attachment #8462773 - Flags: review- → review?(jon)
Comment on attachment 8462773 [details] [review]
https://github.com/mozilla/webmaker-events-2/pull/163

r+ with one nit noted in the PR
Attachment #8462773 - Flags: review?(jon) → review+
Status: ASSIGNED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: