Closed Civolilah closed 4 months ago
turbo124
commented
5 months ago @Civolilah just to note, this issue impacts all routes where the user only have view permissions, the UI appears to always call the /create endpoint regardless of permission levels so this PR should be upgraded to cover all /create endpoints please
Civolilah
commented
5 months ago @Civolilah just to note, this issue impacts all routes where the user only have view permissions, the UI appears to always call the /create endpoint regardless of permission levels so this PR should be upgraded to cover all /create endpoints please
@turbo124 I just checked all of them. Most of them were resolved when I was working on the permissions adjustment. However, three of them still missed the permission check, so I've just added it. So, basically, the queries that require create permission have a check, and also queries that require at least admin permission also have a check. Let me know your thoughts.
beganovich
commented
4 months ago @turbo124 is this ready for merge?
@beganovich @turbo124 The PR includes two fixes for the
/api/v1/task_statuses/createendpoint and/api/v1/expense_categories/createendpoint. These changes ensure that only users with at leastADMINpermissions, can create these entities. The client experienced a toaster message indicating that the action was not authorized because they assigned view/edit/create permissions without setting the user to be an admin. This was the reason for the toaster issue. Let me know your thoughts.