Bug 864712 - Copy trans in project page available for any users
Copy trans in project page available for any users
Product: Zanata
Classification: Community
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 2.0
Assigned To: Alex Eng
Ding-Yi Chen
Depends On:
  Show dependency treegraph
Reported: 2012-10-09 19:57 EDT by Alex Eng
Modified: 2012-11-07 01:19 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.8.0-SNAPSHOT (20121016-1428)
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-07 01:19:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alex Eng 2012-10-09 19:57:21 EDT
Description of problem:
Copy trans in project page available for any users and not restricted

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Login in Zanata as normal user.
2. Go to any project and click "Copy Trans Options"
3. Make changes in option and click save
Actual results:
Save successful

Expected results:
Only project maintainer/admin should be able to perform copy trans

Additional info:
Comment 1 Alex Eng 2012-10-09 20:20:31 EDT
Implemented security check on copy trans option in project page.
Restricted only to project maintainers and admin.
See https://github.com/zanata/zanata/commit/bcb08c86f97c3187b98d0614ddcbe9c761a79fc9
Comment 2 Ding-Yi Chen 2012-10-11 21:20:32 EDT
Tested with Zanata version 1.8.0-SNAPSHOT (20121012-0031)

Error message "You do not have permission to access this resource" appears for non-admin project maintainers.

Comment 3 Alex Eng 2012-10-11 23:58:50 EDT
Fixed security issue. 

Comment 4 Ding-Yi Chen 2012-10-16 02:11:49 EDT
VERIFIED with Zanata version 1.8.0-SNAPSHOT (20121016-1428)
Comment 5 Sean Flanigan 2012-11-07 01:19:35 EST
Fix released in Zanata 2.0.

Note You need to log in before you can comment on or make changes to this bug.