<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 02:02:09 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLFORUM-253] DefaultForumManager#isModerator should work based on roles </title>
                <link>https://jira.magnolia-cms.com/browse/MGNLFORUM-253</link>
                <project id="10130" key="MGNLFORUM">Forum (closed)</project>
                    <description></description>
                <environment></environment>
        <key id="37050">MGNLFORUM-253</key>
            <summary>DefaultForumManager#isModerator should work based on roles </summary>
                <type id="5" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10896&amp;avatarType=issuetype">Sub-task</type>
                            <parent id="37045">MGNLFORUM-250</parent>
                                    <priority id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/neutral.gif">Neutral</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="1">Fixed</resolution>
                                        <assignee username="cmeier">Christoph Meier</assignee>
                                    <reporter username="cmeier">Christoph Meier</reporter>
                        <labels>
                    </labels>
                <created>Wed, 5 Mar 2014 18:15:12 +0100</created>
                <updated>Thu, 13 Mar 2014 11:17:58 +0100</updated>
                            <resolved>Thu, 13 Mar 2014 10:06:17 +0100</resolved>
                                                    <fixVersion>3.3</fixVersion>
                                    <component>security</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="80960" author="rkovarik" created="Mon, 10 Mar 2014 14:24:39 +0100"  >&lt;ul&gt;
	&lt;li&gt;Check for Moderator permission is also performed in:
	&lt;ul&gt;
		&lt;li&gt;&lt;tt&gt;info.magnolia.module.forum.admin.ForumTree.canModerate(Content)&lt;/tt&gt; ...this file is obsolete and should be removed&lt;/li&gt;
		&lt;li&gt;&lt;tt&gt;info.magnolia.module.forum.admin.moderation.ModerationListModel.getResult(...)&lt;/tt&gt; ...not sure if it&apos;s used&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;&apos;1&apos; instead of &apos;0&apos;:
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
 &lt;span class=&quot;code-keyword&quot;&gt;throw&lt;/span&gt; &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; AccessDeniedException(MessageFormat.format(&lt;span class=&quot;code-quote&quot;&gt;&quot;User not allowed to moderate path [{1}].&quot;&lt;/span&gt;, &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; &lt;span class=&quot;code-object&quot;&gt;Object&lt;/span&gt;[] { node.getHandle() }));
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="81027" author="cmeier" created="Tue, 11 Mar 2014 14:50:59 +0100"  >&lt;p&gt;The commit onto master was done against the parent ticket &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLFORUM-250&quot; title=&quot;Remove not supported moderation-permission&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLFORUM-250&quot;&gt;&lt;del&gt;MGNLFORUM-250&lt;/del&gt;&lt;/a&gt;; all subtasks of &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLFORUM-250&quot; title=&quot;Remove not supported moderation-permission&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLFORUM-250&quot;&gt;&lt;del&gt;MGNLFORUM-250&lt;/del&gt;&lt;/a&gt; (251, 252, 253, 254, 255) have been committed against 250  on master.&lt;/p&gt;</comment>
                            <comment id="81052" author="mdivilek" created="Tue, 11 Mar 2014 22:00:21 +0100"  >&lt;p&gt;Reopen:&lt;br/&gt;
1.Lets have forum app available for users who has role forum-moderator-base. /modules/forum/apps/forum/permissions/roles/forum-moderator-base&lt;br/&gt;
2.Create new user &lt;tt&gt;Karel&lt;/tt&gt; and add him forum-moderator-base and forum-ALL-user roles&lt;br/&gt;
3.Login as Karel and open Forum app&lt;br/&gt;
4.He can do everything what he wants. e.g. add, remove forum. He doesn&apos;t need forum_ALL-admin or forum_ALL-moderator role.&lt;/p&gt;</comment>
                            <comment id="81074" author="rkovarik" created="Wed, 12 Mar 2014 10:35:16 +0100"  >&lt;p&gt;display a message (from a task) which tells the user that &#8222;theses roles&#8220; are no more used in the module and that he should delete it from its users/groups, etc. &#8230;&lt;/p&gt;</comment>
                            <comment id="81124" author="mdivilek" created="Wed, 12 Mar 2014 15:35:15 +0100"  >&lt;p&gt;Reopen:&lt;br/&gt;
addForum, editForum, deleteForum, addThread, editThread, deleteThread, editMessage, deleteMessage actions can be triggered without forum_ALL-admin or forum_ALL-moderator role. &lt;/p&gt;

&lt;p&gt;lockForum, unlockForum, approveMessage, rejectMessage actions can&apos;t be triggered without those roles, because they are call method info.magnolia.module.forum.DefaultForumManager#isModerator which check if user has one of those roles. &lt;/p&gt;

&lt;p&gt;addForum, editForum, deleteForum, addThread, editThread, deleteThread, editMessage, deleteMessage actions should also check if user can moderate forum.&lt;/p&gt;</comment>
                            <comment id="81151" author="cmeier" created="Wed, 12 Mar 2014 18:29:19 +0100"  >&lt;p&gt;editForum, editThread, editMessage are NOT handle in ForumManager but by &quot;standard&quot; SaveDialogActionDefinition.&lt;br/&gt;
So i added a custom OpenEditForumItemDialogAction which calls  ForumManager#isModerator.&lt;/p&gt;

&lt;p&gt;To enable that,  #isModerator (without args.!) was added to the interface.  &lt;/p&gt;

&lt;p&gt;While fixing tests, i also refactored those which test action-classes to use JUnit4-pattern; and one twst was added.&lt;/p&gt;</comment>
                            <comment id="81156" author="mdivilek" created="Wed, 12 Mar 2014 21:28:58 +0100"  >&lt;p&gt;info.magnolia.module.forum.app.action.OpenEditForumItemDialogAction#execute&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
} &lt;span class=&quot;code-keyword&quot;&gt;catch&lt;/span&gt; (AccessDeniedException e) {
    &lt;span class=&quot;code-keyword&quot;&gt;throw&lt;/span&gt; &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; ActionExecutionException(e);
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;This will lead into ugly &quot;Error banner&quot;. Instead of re-throw AccessDeniedException as ActionExecutionException we should simply show &quot;Error notification&quot; and stop action. Same for info.magnolia.module.forum.app.action.SaveDialogNewForumAction, info.magnolia.module.forum.app.action.SaveDialogNewThreadAction, etc.&lt;/p&gt;

&lt;p&gt;addForum, addThread actions will open dialog also when user is not admin or moderator. info.magnolia.module.forum.DefaultForumManager#isModerator is triggered during save dialog action, but when user is not moderator then &quot;Error banner&quot; is shown and dialog is not closed. If user is not moderator we should not open dialog at all or at least dialog should be closed.&lt;/p&gt;</comment>
                            <comment id="81162" author="cmeier" created="Thu, 13 Mar 2014 09:41:54 +0100"  >&lt;p&gt;I&apos;m not sure whether it makes sense to check forumManager.isModerator() in every action. &lt;br/&gt;
But if we don&apos;t, then this may lead to the (ugly?) &quot;Error banner&quot;.&lt;br/&gt;
...&lt;br/&gt;
Actually all actions should be greyed out, if the user hasn&apos;t the appropriate permissions. This seems more reasonable (for me). But this must be confogured and again this config could be changed by a user which has accidentally to much rights.&lt;/p&gt;

&lt;p&gt;The ticket was reopend before since it was possible to &quot;outsmart&quot; security which isn&apos;t possible anymore.&lt;br/&gt;
The last mentioned issue is more a UX-thing which isnt&apos;t throughout consequently done everywhere the same way.&lt;br/&gt;
I would like to discuss that with an architect and postpone this &quot;issue&quot;.&lt;/p&gt;

&lt;p&gt;I&apos;ll do the change in OpenEditForumItemDialogAction where i already use forumManager.isModerator(), the others i postpone.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 10 Mar 2014 14:24:39 +0100</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ajones</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            9 years, 49 weeks, 3 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>cmeier</customfieldvalue>
            <customfieldvalue>mdivilek</customfieldvalue>
            <customfieldvalue>rkovarik</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i036fz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>18639</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>