[WWSympa] Cannot allow owners to manage editors of a distribution list

[aepli]

Version

Sympa 6.2.68

Installation method

Installing from source

Expected behavior

Allow owners to manage moderators using the editor rule in etc/edit_list.conf file:

root@tst:/home/sympa # grep -e '^editor ' etc/edit_list.conf
editor                          owner                           write
editor                          privileged_owner                write
root@tst:/home/sympa #

Actual behavior

Only privileged owners can manage moderators, the rule is not applied by the administration interface (wwsympa.fcgi).

Steps to reproduce

• Change the default editor rule for owners in etc/edit_list.conf by replacing the read by the write right.
• Restart the web service for read the new rule.
• Open the web interface and authenticate with an account that is a simple owner (not privileged) of a mailing list.
• Open the moderator administration menu (https:///sympa/review//editor), you will not be able to edit them.
• If you repeat the operation with a privileged owner, it is possible to modify the moderators of this distribution list.

[aepli]

Hello,

I found that the review.tt2 template only allows privileged owners to manage moderators:

root@tst:/home/sympa # grep -e '\[% IF .*is_privileged_owner ' share/sympa/default/web_tt2/review.tt2
                [% IF pS.privilege == 'write' && is_privileged_owner ~%]
                                        [% IF pS.privilege == 'write' && is_privileged_owner ~%]
                            [% IF is_privileged_owner && oV.subscribed ~%]
            [% IF is_writable && is_privileged_owner ~%]
            [% IF pS.privilege == 'write' && is_privileged_owner ~%]
root@tst:/home/sympa #

To fix this problem temporarily, I created a personal review.tt2 template in the etc/web_tt2 folder on my server by copying the original template from the share/sympa/default/web_tt2 folder. And I applied the following changes to this file:

root@tst:/home/sympa # diff -u share/sympa/default/web_tt2/review.tt2 etc/web_tt2/review.tt2
--- share/sympa/default/web_tt2/review.tt2      2022-05-17 15:33:19.760947314 +0200
+++ etc/web_tt2/review.tt2      2022-09-29 11:24:19.279448447 +0200
@@ -303,7 +303,7 @@
                     </div>
                 </div>

-                [% IF pS.privilege == 'write' && is_privileged_owner ~%]
+                [% IF pS.privilege == 'write' ~%]
                     <div class="small-2 medium-1 columns" role="columnheader">
                         <label title="[%|loc%]Delete[%END%]">
                             <i class="fa fa-user-times"></i>
@@ -332,7 +332,7 @@
                                                 <i class="fa fa-fw" title="[%|loc%]Moderator[%END%]"></i>
                                             [%~ END %]
                                         </span>
-                                        [% IF pS.privilege == 'write' && is_privileged_owner ~%]
+                                        [% IF pS.privilege == 'write' ~%]
                                             <a href="[% 'ajax/edit' | url_rel([list,role],{email=>oV.email,previous_action=>action}) %]"
                                                data-reveal-id="edit" data-reveal-ajax="true" class="MainMenuLinks">
                                                [% oV.email %]
@@ -354,7 +354,7 @@
                         </div>

                         <div class="small-2 medium-1 columns" role="cell">
-                            [% IF is_privileged_owner && oV.subscribed ~%]
+                            [% IF pS.privilege == 'write' && oV.subscribed ~%]
                                 [% PROCESS EditListArrayDel
                                     ppaths   = [pS.name,oI]
                                     pitem    = pS
@@ -385,7 +385,7 @@
                     LAST;
                 END;
             END ~%]
-            [% IF is_writable && is_privileged_owner ~%]
+            [% IF is_writable ~%]
                 <h3>
                     [% IF pS.name == 'owner' ~%]
                     [%|loc%]Add owners[%END%]
@@ -449,7 +449,7 @@
                 </div>
             [%~ END %]

-            [% IF pS.privilege == 'write' && is_privileged_owner ~%]
+            [% IF pS.privilege == 'write' ~%]
                 <input type="hidden" name="submit" value="submit" />
                 <input class="MainMenuLInks" type="submit" name="action_review"
                        value="[%|loc%]Apply modifications[%END%]" />
root@tst:/home/sympa #

After restarting the web service, the simple owners could edit the moderators again.

NB, I did not check the behavior with the hidden right and I did not check if this template was used elsewhere in the web administration interface.

Regards.

[ikedas]

Hi @aepli , As far as I looked at the code, your modifications makes sense. Could you submit your modifications as a PR if possible? (if it's difficult I'll do it).

Thanks for improvement!

As for the "hidden" case, I'll consider it.

[aepli]

Hi @ikedas,

This is my first PR, please bear with me. I hope this is what you wanted.

Regards

[ikedas]

Hi @aepli , your PR was merged. Thank you for reporting and fixing bug!