Bug 892816 - Recently removed project maintainer retains access to project maintainer actions.
Summary: Recently removed project maintainer retains access to project maintainer acti...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Zanata
Classification: Retired
Component: Security   
(Show other bugs)
Version: 2.0
Hardware: Unspecified Unspecified
unspecified
high
Target Milestone: ---
: 2.1
Assignee: Alex Eng
QA Contact: Ding-Yi Chen
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-07 22:26 UTC by Carlos Munoz
Modified: 2013-02-26 04:06 UTC (History)
3 users (show)

Fixed In Version: 2.1-SNAPSHOT (20130108-1249)
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-26 04:06:30 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Carlos Munoz 2013-01-07 22:26:48 UTC
Description of problem:
When the current logged in user removes him/herself from a project's maintainer list, he/she still has access to project maintainer actions until navigation to another page occurs.

Version-Release number of selected component (if applicable):
2.0.2

How reproducible:
Always

Steps to Reproduce:
1. Log in as a non-admin user, which is a project maintainer.
2. Go to a maintained project's page.
3. Got to the project's maintainer list.
4. Remove the user from the list.
  
Actual results:
The user still has access to add / remove project maintainers.

Expected results:
After removing the currently logged in user from the list, there should be no access to add or remove project maintainers.

Comment 1 Alex Eng 2013-01-07 23:35:14 UTC
Security flaw when you remove yourself from maintainer list of a project, and yet you still able to add yourself back as maintainer.  


Implemented fix. Once removed, if you are no longer maintainer, it will redirect to project page.

See https://github.com/zanata/zanata/commit/fa4adaf5a4000658a2750e8edc40c1a8bb30b361

Comment 6 Ding-Yi Chen 2013-01-08 00:29:24 UTC
Tested with Zanata version 2.1-SNAPSHOT (20130108-1004).
The non-admin project maintainsers cannot remove themselves now. Which is not the expected behaviors.

Reassigned.

Comment 8 Ding-Yi Chen 2013-01-08 03:57:10 UTC
VERIFIED with Zanata version 2.1-SNAPSHOT (20130108-1249)


Note You need to log in before you can comment on or make changes to this bug.