Bug 892816 - Recently removed project maintainer retains access to project maintainer actions.
Recently removed project maintainer retains access to project maintainer acti...
Product: Zanata
Classification: Community
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: 2.1
Assigned To: Alex Eng
Ding-Yi Chen
Depends On:
  Show dependency treegraph
Reported: 2013-01-07 17:26 EST by Carlos Munoz
Modified: 2013-02-25 23:06 EST (History)
3 users (show)

See Also:
Fixed In Version: 2.1-SNAPSHOT (20130108-1249)
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-25 23:06:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Carlos Munoz 2013-01-07 17:26:48 EST
Description of problem:
When the current logged in user removes him/herself from a project's maintainer list, he/she still has access to project maintainer actions until navigation to another page occurs.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Log in as a non-admin user, which is a project maintainer.
2. Go to a maintained project's page.
3. Got to the project's maintainer list.
4. Remove the user from the list.
Actual results:
The user still has access to add / remove project maintainers.

Expected results:
After removing the currently logged in user from the list, there should be no access to add or remove project maintainers.
Comment 1 Alex Eng 2013-01-07 18:35:14 EST
Security flaw when you remove yourself from maintainer list of a project, and yet you still able to add yourself back as maintainer.  

Implemented fix. Once removed, if you are no longer maintainer, it will redirect to project page.

See https://github.com/zanata/zanata/commit/fa4adaf5a4000658a2750e8edc40c1a8bb30b361
Comment 6 Ding-Yi Chen 2013-01-07 19:29:24 EST
Tested with Zanata version 2.1-SNAPSHOT (20130108-1004).
The non-admin project maintainsers cannot remove themselves now. Which is not the expected behaviors.

Comment 8 Ding-Yi Chen 2013-01-07 22:57:10 EST
VERIFIED with Zanata version 2.1-SNAPSHOT (20130108-1249)

Note You need to log in before you can comment on or make changes to this bug.