Bug 892816

Summary: Recently removed project maintainer retains access to project maintainer actions.
Product: [Retired] Zanata Reporter: Carlos Munoz <camunoz>
Component: SecurityAssignee: Alex Eng <aeng>
Status: CLOSED CURRENTRELEASE QA Contact: Ding-Yi Chen <dchen>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.0CC: aeng, sflaniga, zanata-bugs
Target Milestone: ---   
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 2.1-SNAPSHOT (20130108-1249) Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-26 04:06:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carlos Munoz 2013-01-07 22:26:48 UTC 
Description of problem:
When the current logged in user removes him/herself from a project's maintainer list, he/she still has access to project maintainer actions until navigation to another page occurs.

Version-Release number of selected component (if applicable):
2.0.2

How reproducible:
Always

Steps to Reproduce:
1. Log in as a non-admin user, which is a project maintainer.
2. Go to a maintained project's page.
3. Got to the project's maintainer list.
4. Remove the user from the list.
  
Actual results:
The user still has access to add / remove project maintainers.

Expected results:
After removing the currently logged in user from the list, there should be no access to add or remove project maintainers.
Comment 1 Alex Eng 2013-01-07 23:35:14 UTC 
Security flaw when you remove yourself from maintainer list of a project, and yet you still able to add yourself back as maintainer.  


Implemented fix. Once removed, if you are no longer maintainer, it will redirect to project page.

See https://github.com/zanata/zanata/commit/fa4adaf5a4000658a2750e8edc40c1a8bb30b361
Comment 6 Ding-Yi Chen 2013-01-08 00:29:24 UTC 
Tested with Zanata version 2.1-SNAPSHOT (20130108-1004).
The non-admin project maintainsers cannot remove themselves now. Which is not the expected behaviors.

Reassigned.
Comment 7 Alex Eng 2013-01-08 01:41:21 UTC 
Implemented fix.

See
https://github.com/zanata/zanata/commit/f8125039cb68454b2bd43d5cb70c4ec63e30bb8d
Comment 8 Ding-Yi Chen 2013-01-08 03:57:10 UTC 
VERIFIED with Zanata version 2.1-SNAPSHOT (20130108-1249)