Remove not supported moderation-permission
(MGNLFORUM-250)
|
|
| Status: | Closed |
| Project: | Forum (closed) |
| Component/s: | security |
| Affects Version/s: | None |
| Fix Version/s: | 3.3 |
| Type: | Sub-task | Priority: | Neutral |
| Reporter: | Christoph Meier | Assignee: | Christoph Meier |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Date of First Response: |
| Comments |
| Comment by Roman Kovařík [ 10/Mar/14 ] |
|
| Comment by Christoph Meier [ 11/Mar/14 ] |
|
The commit onto master was done against the parent ticket |
| Comment by Milan Divilek [ 11/Mar/14 ] |
|
Reopen: |
| Comment by Roman Kovařík [ 12/Mar/14 ] |
|
display a message (from a task) which tells the user that „theses roles“ are no more used in the module and that he should delete it from its users/groups, etc. … |
| Comment by Milan Divilek [ 12/Mar/14 ] |
|
Reopen: lockForum, unlockForum, approveMessage, rejectMessage actions can't be triggered without those roles, because they are call method info.magnolia.module.forum.DefaultForumManager#isModerator which check if user has one of those roles. addForum, editForum, deleteForum, addThread, editThread, deleteThread, editMessage, deleteMessage actions should also check if user can moderate forum. |
| Comment by Christoph Meier [ 12/Mar/14 ] |
|
editForum, editThread, editMessage are NOT handle in ForumManager but by "standard" SaveDialogActionDefinition. To enable that, #isModerator (without args.!) was added to the interface. While fixing tests, i also refactored those which test action-classes to use JUnit4-pattern; and one twst was added. |
| Comment by Milan Divilek [ 12/Mar/14 ] |
|
info.magnolia.module.forum.app.action.OpenEditForumItemDialogAction#execute } catch (AccessDeniedException e) { throw new ActionExecutionException(e); } This will lead into ugly "Error banner". Instead of re-throw AccessDeniedException as ActionExecutionException we should simply show "Error notification" and stop action. Same for info.magnolia.module.forum.app.action.SaveDialogNewForumAction, info.magnolia.module.forum.app.action.SaveDialogNewThreadAction, etc. addForum, addThread actions will open dialog also when user is not admin or moderator. info.magnolia.module.forum.DefaultForumManager#isModerator is triggered during save dialog action, but when user is not moderator then "Error banner" is shown and dialog is not closed. If user is not moderator we should not open dialog at all or at least dialog should be closed. |
| Comment by Christoph Meier [ 13/Mar/14 ] |
|
I'm not sure whether it makes sense to check forumManager.isModerator() in every action. The ticket was reopend before since it was possible to "outsmart" security which isn't possible anymore. I'll do the change in OpenEditForumItemDialogAction where i already use forumManager.isModerator(), the others i postpone. |