Closed Bug 915793 Opened 11 years ago Closed 11 years ago

Rocketfuel collections API should filter on permissions

Categories

(Marketplace Graveyard :: API, defect, P2)

Avenir
x86_64
Windows 7
defect

Tracking

(Not tracked)

RESOLVED FIXED
2013-10-01

People

(Reporter: basta, Assigned: chuck)

References

Details

(Whiteboard: p=2 [qa+])

- Non-app publishers and non-curators should not be able see hidden collections. Accessing /collection/<id> and /collections/ should not show the hidden collections.
- Curators that are not app publishers should not be able to see collections that they are not the curator of. Accessing /collections/ should not show the collections that the curators cannot see, and accessing /collection/<id> should only show the collection iff the collection at that URI is not hidden.

The second restriction should only apply to the /collections/ API.
The first restriction should apply to both /collections/ and /collection/<id|slug>
This is pretty important. We'll need it before we can give rocketfuel access to carriers.
Priority: -- → P2
Assignee: nobody → charmston
Status: NEW → ASSIGNED
Target Milestone: --- → 2013-10-01
Landed: https://github.com/mozilla/zamboni/compare/9834de9e1f0d...fb58f11ddd03

STR: Create a collection that is not public, but has a person without the Collections:Curate permission marked as a curator.

- When logged in as a user with the Collections:Curate permission, that collection should be visible in the Curation Tool.
- When logged in as the user marked as the curator, the collection should be visible in the Curation Tool.
- When logged in as a user without Collections:Curate and not marked as the curator, that collection should not be visible in the Curation Tool.
- When not logged in, the collection should not be visible in the Curation Tool.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: p=2 [qa+]
You need to log in before you can comment on or make changes to this bug.