- Non-app publishers and non-curators should not be able see hidden collections. Accessing /collection/<id> and /collections/ should not show the hidden collections. - Curators that are not app publishers should not be able to see collections that they are not the curator of. Accessing /collections/ should not show the collections that the curators cannot see, and accessing /collection/<id> should only show the collection iff the collection at that URI is not hidden. The second restriction should only apply to the /collections/ API. The first restriction should apply to both /collections/ and /collection/<id|slug>
This is pretty important. We'll need it before we can give rocketfuel access to carriers.
Priority: -- → P2
Assignee: nobody → charmston
Status: NEW → ASSIGNED
Target Milestone: --- → 2013-10-01
Landed: https://github.com/mozilla/zamboni/compare/9834de9e1f0d...fb58f11ddd03 STR: Create a collection that is not public, but has a person without the Collections:Curate permission marked as a curator. - When logged in as a user with the Collections:Curate permission, that collection should be visible in the Curation Tool. - When logged in as the user marked as the curator, the collection should be visible in the Curation Tool. - When logged in as a user without Collections:Curate and not marked as the curator, that collection should not be visible in the Curation Tool. - When not logged in, the collection should not be visible in the Curation Tool.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: p=2 [qa+]
You need to log in before you can comment on or make changes to this bug.