Closed kalbers closed 9 years ago
@jimsafley Right now these rules are written to allow most users to only visit their edit pages; eg https://github.com/omeka/omeka-s/blob/develop/application/src/Service/AclFactory.php#L213
At the very least we'll need to add change-password, edit-keys, and show. Should this transition to allowing all views but the browse view? Or are there other views we're specifically trying to deny?
Additionally, is it worth rethinking the current setup that requires these to be edited for each role, as opposed to having a single rule that applies to multiple users?
Another potential issue. Currently only admins can view other user show pages. However, there are links to these pages in different areas of the site, eg, the Owner column on item-sets browse. We'll possibly want those links to point to queries of resources owned by those users, rather than the user show page, or we'll need to revisit some of the permissions.
Additionally we need to be protecting the edit-keys action in the same way as change-password. There's currently no user-specific check happening there except for the one on read
.
edit-keys now has a specific check on it
If you click username link in the admin bar, you get a 403 error; eg omeka-s/admin/user/ID
You are able to add on edit and resolve to the edit page; eg omeka-s/admin/user/ID/edit