jaSunny
commented
9 years ago yes, but they have to address the related page manually in the browser.. however, an additional permissions check would be great
Closed leoselig closed 9 years ago
jaSunny
commented
9 years ago yes, but they have to address the related page manually in the browser.. however, an additional permissions check would be great
SvenLehmann
commented
9 years ago I fixed that bug, you need to be member of a group to access that page. But there is a new follow up bug I think... a user, who has the ability to approve events by beeing member of a group, can see any open requests and is able to approve/disapprove any of them.
SvenLehmann
commented
9 years ago follow up bug should be fixed as well
leoselig
commented
9 years ago Does this fix #323 ?
SvenLehmann
commented
9 years ago as I commented in #323, I can´t reproduce that bug. Everything seems to work fine.
SvenLehmann
commented
9 years ago @leoselig please review on the dev branch if this bug and #323 is complely fixed (at least I hope so)
leoselig
commented
9 years ago Not fixed Reproduction:
It seems that there are no security checks on the approve/reject actions Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment
jaSunny
commented
9 years ago lets break it up into a different user story as kind of security improvement. relates to #334 This bug deals with the frontend page ("Offene Anfragen") whereas #334 deals with the backend
navigation link is hidden if "open requests" is forbidden for a user (nevertheless, in a wrong way, see #323 ) BUT: open the route /events_approval and you are allowed to view all requests, approve or reject them and see already approved events Speechless...