search

krono / squeaksource3

Seaside-based Monticello code repository for Squeak, Pharo and GemStone
0 stars 0 forks source link

Delete version from project via REST requires only read permissions? #76

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
That's what the code in SSUrlFilter>>deleteVersion:ofProject: says ...

I've patched the code on the SS3 site to require write permissions to do a 
delete ...

I was toying with the idea that the various project operations should do 
permissions validation and now that I see what kinds of mistakes can be made, I 
think that all of the operations should do permission validation ... then we 
can have unit tests that validate this behavior and the code in the REST and 
web interfaces don't have to remember to do validation ...

Original issue reported on code.google.com by henrichs...@gmail.com on 5 Jan 2012 at 12:48

GoogleCodeExporter commented 9 years ago 
woops ... one need admin rights to delete a version...

Original comment by henrichs...@gmail.com on 5 Jan 2012 at 6:59

GoogleCodeExporter commented 9 years ago 
I've created 5 new methods in SSProject:

  SSProject>>copyVersion:to:author:as:
  SSProject>>deleteVersion:as:
  SSProject>>dependentVersionsFor:
  SSProject>>moveVersion:to:author:as:
  SSProject>>removeFromSystemAs:

which do access policy validate and will throw an SSAccessViolation exception 
if a vioaltion is found ... the view classes (SSProjectView, SSVersionView, and 
SSUrlFilter) have been changed to use the above methods so that a consistent 
implementation can be used everywhere

Original comment by henrichs...@gmail.com on 6 Jan 2012 at 12:16

GoogleCodeExporter commented 9 years ago 
SSProject>>addVersion:author:as: also added ...

Original comment by henrichs...@gmail.com on 6 Jan 2012 at 12:30

GoogleCodeExporter commented 9 years ago

Original comment by henrichs...@gmail.com on 6 Jan 2012 at 1:17

GoogleCodeExporter commented 9 years ago 
SqueakSource 3.0-rc.1.1 (dkh.86) ... SSUrlFilter modified to use the SSProject 
API that includes access control validation and to handle SSAccessViolation by 
returning #authResponseFor:

Original comment by henrichs...@gmail.com on 18 Jan 2012 at 12:24