I actually took a stab at trying to document permissions a while ago, and ran into similar findings. The doc-in-progress I have is here: https://sourceforge.net/p/forge/community-docs/Project%20Permissions/
And here's the ticket I submitted based on the similar inconsistencies I ran into: https://sourceforge.net/p/allura/tickets/6084/ -- Chris Tsai SourceForge.net Support On Wednesday, July 17, 2013 at 2:22 PM, Tim Van Steenburgh wrote: > > > On Wednesday, July 17, 2013 at 11:55 AM, Tim Van Steenburgh wrote: > > > I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In > > documenting permissions, I'm finding places where things are not working as > > probably intended. > > > > Consider the "save_searches", "configure", and "admin" permissions in the > > Tracker tool: > > "save_searches" protects the individual methods on the BinController, but... > > ...user will not actually see the "Edit Searches" button in the sidebar > > unless he has the "configure" permission; however... > > even with the "configure" permission, user will get a 403 when clicking on > > the "Edit Searches" button unless he also has the "admin" permission, b/c > > the BinController is mounted on the TrackerAdminController > > > > > After more digging I've discovered that this particular problem is > system-wide. There are many controller methods on Application admin > controllers that purport to be protected by the "configure" permission, yet > are unreachable by a user with the bare "configure" permission, because the > ProjectAdminController through which the request is dispatched requires a > blanket "admin" permission. > > I don't have a solution to propose for this yet, but will report back when I > do. Would be glad hear ideas from others in the meantime. > > I have two proposals: > > > > Remove the "save_searches" permission and include "Edit Searches" in the > > "configure" permission > > Move the BinController off the TrackerAdminController and onto the Tracker > > RootController > > > > Anyone have thoughts on this, or objections? > > > > > > -- > > Tim Van Steenburgh > > > > >
