Closed Bug 290633 Opened 20 years ago Closed 20 years ago

Access Denied for all edit version pages & edit extension details page

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bugzilla-mozilla-20000923, Assigned: Bugzilla-alanjstrBugs)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file)

If non-admin, can only edit their own
1.20 KB, patch
morgamic
: first-review+
Details | Diff | Splinter Review 
After logging in, going to ChatZilla listing, adding two new versions (currently
pending approval), I tried to view the listmanager's editversion page. It gives
Access Denied messages for every single version, including the two I just added.

Also, it shows nothing next to "Permissions:" in My Profile, which may be related.

Seems to als give the error for editmain too, so it may well be that you guys
didn't set up the permissions yet/properly. ;)

Either way, it is broken.
It has to do with your role being developer, so its a php problem.  As an Admin,
I can see it just fine.
Severity: normal → major
This appears to be a regression from Bug 279398.

Listmanager isn't just for admins. It probably should be, but.

http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/webtools/update/developers&command=DIFF_FRAMESET&file=listmanager.php&rev2=1.7&rev1=1.6

Unfortunately, that bug doesn't give alot of detail as to why the change was
made, but an incorrect assumption was definitely used, as listmanager isn't just
for admins *at all*
Keywords: regression
*** Bug 290662 has been marked as a duplicate of this bug. ***
Summary: Access Denied for all edit version pages → Access Denied for all edit version pages & edit extension details page
The functions in this file are:
$function=="editmain"
$function=="editversion"
and !$function

listmanager should be split into two files, listmanager (the admin thing) and
edititem which will have checks to make sure that the user has permission to
edit it.
The code rearchitection probably should wait for another bug. Was there actually
a real bug involved in changing the if that regressed this. listmanager has no
admin-specific functions.

If the issue was that editors were being granted full-list rights, then simply
change the if to read. (based on versoin 1.6)

From:
if ($_SESSION["level"] !=="admin" and $_SESSION["level"] !=="editor") {

To:
if ($_SESSION["level"] !=="admin") {

so it'll execute the "does this belong to you" check for editors too. :-)
Target Milestone: 1.0 → 1.1

        Attachment #181501 -
        Flags: first-review?(mike.morgan)

    
  
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 181501 [details] [diff] [review]
If non-admin, can only edit their own

Patch works as described.

        Attachment #181501 -
        Flags: first-review?(mike.morgan) → first-review+

    
    

    
  
Landed into CVS
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: