search

omeka / omeka-s

Omeka S is a web publication system for universities, galleries, libraries, archives, and museums. It consists of a local network of independently curated exhibits sharing a collaboratively built pool of items, media, and their metadata.
GNU General Public License v3.0
401 stars 134 forks source link

Users assigned roles below admin cannot get to their user page #230

Closed kalbers closed 9 years ago

kalbers commented 9 years ago

If you click username link in the admin bar, you get a 403 error; eg omeka-s/admin/user/ID

You are able to add on edit and resolve to the edit page; eg omeka-s/admin/user/ID/edit

kalbers commented 9 years ago

@jimsafley Right now these rules are written to allow most users to only visit their edit pages; eg https://github.com/omeka/omeka-s/blob/develop/application/src/Service/AclFactory.php#L213

At the very least we'll need to add change-password, edit-keys, and show. Should this transition to allowing all views but the browse view? Or are there other views we're specifically trying to deny?

Additionally, is it worth rethinking the current setup that requires these to be edited for each role, as opposed to having a single rule that applies to multiple users?

kalbers commented 9 years ago

Another potential issue. Currently only admins can view other user show pages. However, there are links to these pages in different areas of the site, eg, the Owner column on item-sets browse. We'll possibly want those links to point to queries of resources owned by those users, rather than the user show page, or we'll need to revisit some of the permissions.

zerocrates commented 9 years ago

Additionally we need to be protecting the edit-keys action in the same way as change-password. There's currently no user-specific check happening there except for the one on read.

zerocrates commented 9 years ago

edit-keys now has a specific check on it