Rocketfuel collections API should filter on permissions

RESOLVED FIXED in 2013-10-01

Status

Marketplace
API
P2
normal
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: basta, Assigned: chuck)

Tracking

Avenir
2013-10-01
x86_64
Windows 7
Points:
---

Details

(Whiteboard: p=2 [qa+])

(Reporter)

Description

5 years ago
- Non-app publishers and non-curators should not be able see hidden collections. Accessing /collection/<id> and /collections/ should not show the hidden collections.
- Curators that are not app publishers should not be able to see collections that they are not the curator of. Accessing /collections/ should not show the collections that the curators cannot see, and accessing /collection/<id> should only show the collection iff the collection at that URI is not hidden.

The second restriction should only apply to the /collections/ API.
The first restriction should apply to both /collections/ and /collection/<id|slug>
Blocks: 894417
(Reporter)

Comment 1

5 years ago
This is pretty important. We'll need it before we can give rocketfuel access to carriers.
Priority: -- → P2
(Assignee)

Updated

5 years ago
Assignee: nobody → charmston
Status: NEW → ASSIGNED
Target Milestone: --- → 2013-10-01
(Assignee)

Comment 2

5 years ago
Landed: https://github.com/mozilla/zamboni/compare/9834de9e1f0d...fb58f11ddd03

STR: Create a collection that is not public, but has a person without the Collections:Curate permission marked as a curator.

- When logged in as a user with the Collections:Curate permission, that collection should be visible in the Curation Tool.
- When logged in as the user marked as the curator, the collection should be visible in the Curation Tool.
- When logged in as a user without Collections:Curate and not marked as the curator, that collection should not be visible in the Curation Tool.
- When not logged in, the collection should not be visible in the Curation Tool.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: p=2 [qa+]
You need to log in before you can comment on or make changes to this bug.