search

kamasheto / smarterscrum

Just another scrum tool, except smarter.
0 stars 0 forks source link

Fix permissions and Security #31

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Success Scenarios:

Failure Scenarios:

Tasks:
Code, Senario

Original issue reported on code.google.com by menna.gh...@gmail.com on 17 Jun 2010 at 8:51

GoogleCodeExporter commented 8 years ago 
bel nesba lel reviewer? (A)

Original comment by mahmoudsakr87 on 17 Jun 2010 at 8:57

GoogleCodeExporter commented 8 years ago

Original comment by menna.gh...@gmail.com on 17 Jun 2010 at 9:11

GoogleCodeExporter commented 8 years ago 
aho 3shan matez3alsh :$ lamo2a7`za asly naset :D

Original comment by menna.gh...@gmail.com on 17 Jun 2010 at 9:12

GoogleCodeExporter commented 8 years ago

Original comment by menna.gh...@gmail.com on 22 Jun 2010 at 9:35

GoogleCodeExporter commented 8 years ago

Original comment by menna.gh...@gmail.com on 25 Jun 2010 at 1:44

GoogleCodeExporter commented 8 years ago 
Which stories are these permissions applied for? All C4 stories wala eh? I've 
noticed Hadeer had an apply new permissions task, so that doesn't sound right.

Original comment by mahmoudsakr87 on 26 Jun 2010 at 10:03

GoogleCodeExporter commented 8 years ago 
no these permissions are for my stories, no one can edit sprint backlog unless 
he's a scrum master or he is the owner of the story or the reviewer of the 
story.
Also in a reviewlog, no one can edit notes except he;s a scrum master

Original comment by menna.gh...@gmail.com on 27 Jun 2010 at 3:56

GoogleCodeExporter commented 8 years ago 
In ProductBacklogs.index I see this:
        Project project1 = Project.findById(id);
        Security.check(project1.users.contains(Security.getConnected()));

Why is this checking for the project to contain the connected user if this 
might be showing a component instead?

Shouldn't this check be inside the if clause, to check for if the project OR 
component based on isComp?

Original comment by mahmoudsakr87 on 27 Jun 2010 at 5:44

GoogleCodeExporter commented 8 years ago 
well as a matter of fact, anyone in the project can see the component backlog, 
since he can basically c it in the product backlog so why not c it through 
component?  Or should it be other wise?

Original comment by menna.gh...@gmail.com on 27 Jun 2010 at 5:49

GoogleCodeExporter commented 8 years ago 
la2 da mesh not my concern. I was rather thinking of variable: id

if isComp == true, you should be querying Components, not Projects. You could 
still apply your logic.

Imagine isComp == true, and id = 10 (referencing component 10) You're 
accordingly checking if the user is in project 10, NOT in the project of the 
component 10. fahma asdy?

Original comment by mahmoudsakr87 on 27 Jun 2010 at 5:57

GoogleCodeExporter commented 8 years ago 
ahhhhhhhhhh. okay, yes u are right, will be fixed right away :D

Original comment by menna.gh...@gmail.com on 27 Jun 2010 at 6:01

GoogleCodeExporter commented 8 years ago 
You still need to handle that a system admin could see the backlog. You'll need 
to || Security.getConnected().isAdmin on both these checks.

Original comment by mahmoudsakr87 on 27 Jun 2010 at 7:19

GoogleCodeExporter commented 8 years ago 
Also, howa how can I edit elbacklog?

Original comment by mahmoudsakr87 on 27 Jun 2010 at 7:20

GoogleCodeExporter commented 8 years ago 
system admin handled.
we how can u edit ezay? i kinda dont get the question

Original comment by menna.gh...@gmail.com on 27 Jun 2010 at 7:30

GoogleCodeExporter commented 8 years ago 
elbacklog, aren't the tasks editable? shouldn't I be able to edit these stories 
from the backlog w keda?

+ Could you make sure you have a @With(Secure.class) on ALL the controllers 
that require a logged in user, to make sure the user sees a login page if he's 
not.

Original comment by mahmoudsakr87 on 27 Jun 2010 at 8:29

GoogleCodeExporter commented 8 years ago 
well yes, in the product backlog u can edit the stories, and in the sprint 
backlog u can edit the tasks, but u cant edit the story in a sprint backlog if 
ur asking abt that.
BUT for a product backlog, u cant edit if there is a sprint running, and for a 
sprint backlog, u cant edit if ur not the scrum master, or assignee or 
reviewer, or admin of course.
for the @with(Secure.class) it is done.

Original comment by menna.gh...@gmail.com on 27 Jun 2010 at 11:40

GoogleCodeExporter commented 8 years ago 
I'm getting this exception when accessing elbacklog now (find attached)

In views, use connected to fetch the connected user. #{if connected.isAdmin} 
masalan w keda

Original comment by mahmoudsakr87 on 28 Jun 2010 at 6:45

Attachments:

GoogleCodeExporter commented 8 years ago 
Just a heads up:

     #{if Security.getConnected().in(project).can('editBacklog') || Security.getConnected().isAdmin}
          <span style="display:none"> ${flag=true}</span>
     #{/if}

    #{ifnot flag}
    <div id="NOTE"style="padding: 10px 10px 10px 10px" class="ui-state-highlight ui-corner-all"> 
    <span style="float: left; margin-right: 0.3em;" class="ui-icon ui-icon-info"></span>
    <strong>NOTE: </strong>Editing is not allowed. 
    <br/><a href="#" onclick="$('#NOTE').css('display','none');">hide me?</a></div>
    #{/ifnot}

Could have been refactored to:

#{ifnot connected.in(project).can('editBacklog') || connected.isAdmin}
<div id="NOTE"style="padding: 10px 10px 10px 10px" class="ui-state-highlight 
ui-corner-all"> 
<span style="float: left; margin-right: 0.3em;" class="ui-icon 
ui-icon-info"></span>
<strong>NOTE: </strong>Editing is not allowed. 
<br/><a href="#" onclick="$('#NOTE').css('display','none');">hide me?</a></div>
#{/ifnot}

Original comment by mahmoudsakr87 on 28 Jun 2010 at 6:48

GoogleCodeExporter commented 8 years ago 
well sometimes it fascinates how dumb i can sometimes be!! i was doing it 
connected then kararet en ana bafaty we 7`aletha security.connected :X!! anyway 
right now i dont have my laptop but ill fix it first thing when i go home 
(e7m..which will be kinda late :$ m3lsh)

bs y3ny 3la fkra, i need the flag fi another part to, so ill have to right it 
brdo fi el ifnot :P

Original comment by menna.gh...@gmail.com on 28 Jun 2010 at 8:43

GoogleCodeExporter commented 8 years ago 
Oh, okay. You're right then :D

You still don't need the span hidden,
#{if Security.getConnected().in(project).can('editBacklog') || 
Security.getConnected().isAdmin}
          <span style="display:none"> ${flag=true}</span>
     #{/if}

could be refactored to:
#{set flag:Security.getConnected().in(project).can('editBacklog') || 
Security.getConnected().isAdmin /}

Take your time. :)

Original comment by mahmoudsakr87 on 28 Jun 2010 at 9:16

GoogleCodeExporter commented 8 years ago 
foll :D

Original comment by menna.gh...@gmail.com on 28 Jun 2010 at 9:28

GoogleCodeExporter commented 8 years ago 
Done :D

Original comment by menna.gh...@gmail.com on 28 Jun 2010 at 4:54

GoogleCodeExporter commented 8 years ago 
mabrook elbara2a =D

Original comment by mahmoudsakr87 on 28 Jun 2010 at 7:23