Closed mathewrapid closed 7 years ago
Hi @mathewrapid !
You're true, I can reproduce this bug on my environment. A fix is welcome, if you have time to contribute, we'll glad to help you !
Hi @pierallard !
I'm thinking that it could be patched by checking the job type (export, _quickexport, import) in the controller and then checking for user rights.
What would you suggest?
Hello @mathewrapid The problem is that acl ancestors were not applied to https://github.com/akeneo/pim-community-dev/blob/master/src/Pim/Bundle/EnrichBundle/Controller/JobTrackerController.php#L104 method (and it looks to all other controller methods) like in case of https://github.com/akeneo/pim-community-dev/blob/master/src/Pim/Bundle/ImportExportBundle/Controller/ExportProfileController.php#L50
If you have additional question, you are welcome :-)
Hi @a2xchip
Yes, that is the problem. Now, I'm 99% sure (correct me if I'm wrong) that this cannot be fixed by adding the acl ancestors to the JobTrackerController as it is used to view jobs regardless their type (import, export, etc.).
So, I'm wondering that what would be the best way to solve this? In JobTrackerController load the job and check its type and then apply the isGranted
logic to it?
@mathewrapid Sounds good :-) @pierallard what do you think?
Sorry to my late answer ! Yes, you're right, ACL annotations only work for "simple" cases. In this case, I think you can not use annotation... You have to know if the job is "import" or "export" before throwing an "unauthorized" response.
Hello @mathewrapid any news on this issue?
Hi @a2xchip,
I think this is up for grabs. Have not had time to make a pr.
@mathewrapid Hello! Thx for quick reply, gonna fix it before 1.7 release :-)
Hi @a2xchip !
Any update about a PR ? :)
Last 7 hours i was sleeping but coming ;-)
Sorry @a2xchip I didn't see the time on your last message. Hope you slept well ! :p Have a good day !
I'm reporting a Bug
When the user does not have rights to export profiles, the export job can still be accessed through the path
/job/show/{id}
whereas the/spread/export_execution/{id}
correctly gives an403
response.