Bug 864712

Summary: Copy trans in project page available for any users
Product: [Retired] Zanata Reporter: Alex Eng <aeng>
Component: SecurityAssignee: Alex Eng <aeng>
Status: CLOSED CURRENTRELEASE QA Contact: Ding-Yi Chen <dchen>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: developmentCC: zanata-bugs
Target Milestone: ---   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.8.0-SNAPSHOT (20121016-1428) Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-07 06:19:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Eng 2012-10-09 23:57:21 UTC 
Description of problem:
Copy trans in project page available for any users and not restricted

Version-Release number of selected component (if applicable):
2.0

How reproducible:
Always

Steps to Reproduce:
1. Login in Zanata as normal user.
2. Go to any project and click "Copy Trans Options"
3. Make changes in option and click save
  
Actual results:
Save successful


Expected results:
Only project maintainer/admin should be able to perform copy trans

Additional info:
Comment 1 Alex Eng 2012-10-10 00:20:31 UTC 
Implemented security check on copy trans option in project page.
Restricted only to project maintainers and admin.
See https://github.com/zanata/zanata/commit/bcb08c86f97c3187b98d0614ddcbe9c761a79fc9
Comment 2 Ding-Yi Chen 2012-10-12 01:20:32 UTC 
Tested with Zanata version 1.8.0-SNAPSHOT (20121012-0031)

Error message "You do not have permission to access this resource" appears for non-admin project maintainers.

Reassigned.
Comment 3 Alex Eng 2012-10-12 03:58:50 UTC 
Fixed security issue. 

See
https://github.com/zanata/zanata/commit/293c0fd8df9e6f63f2a9a89b51bea6f3a8347bd6
Comment 4 Ding-Yi Chen 2012-10-16 06:11:49 UTC 
VERIFIED with Zanata version 1.8.0-SNAPSHOT (20121016-1428)
Comment 5 Sean Flanigan 2012-11-07 06:19:35 UTC 
Fix released in Zanata 2.0.