I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In documenting permissions, I'm finding places where things are not working as probably intended.
Consider the "save_searches", "configure", and "admin" permissions in the Tracker tool: "save_searches" protects the individual methods on the BinController, but... ...user will not actually see the "Edit Searches" button in the sidebar unless he has the "configure" permission; however... even with the "configure" permission, user will get a 403 when clicking on the "Edit Searches" button unless he also has the "admin" permission, b/c the BinController is mounted on the TrackerAdminController I have two proposals: Remove the "save_searches" permission and include "Edit Searches" in the "configure" permission Move the BinController off the TrackerAdminController and onto the Tracker RootController Anyone have thoughts on this, or objections? -- Tim Van Steenburgh
