Editing user permissions copies team permissions directly to the user.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create a user with no repository permissions
2. Create a team and add the user to that team as well as set permissions to a 
repository.
3. Edit the user settings and click save (no changes are required)
4. go back in and edit the user and view the access permissions

What is the expected output? What do you see instead?
The access permissions under "mutable" tab should be empty, but instead shows 
the repositories defined on the team ("effective" tab).

What version of the product are you using? On what operating system?
1.6.0

Please provide any additional information below.

It appears that the "Effective" tab controls are setup to be posted with the 
form submissions (which they should not be) thus causing those entries to be 
added directly to the users permissions.    This can cause issues if you later 
revoke permissions from a user via team membership, as the permissions were 
copied locally.

Original issue reported on code.google.com by ur...@outoforder.cc on 14 Jul 2014 at 4:47

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Any update on this issue?  it's really becoming an issue, as I have to 
continually edit users multiple times to cleanup incorrectly added permissions. 
 This really is a security issue in gitblit.   If you can suggest where in the 
code I can look through to cleanly make these modifications I'd be more than 
happy to provide a patch.

Original comment by edw...@humblebundle.com on 8 Aug 2014 at 1:00

[GoogleCodeExporter]

Original comment by James.Mo...@gmail.com on 24 Oct 2014 at 12:11

• Changed state: Accepted

[GoogleCodeExporter]

Fix pushed to develop.

Original comment by James.Mo...@gmail.com on 31 Oct 2014 at 1:53

• Changed state: Queued
• Added labels: Milestone-1.7.0