Re: [Mugle-dev] [Bug 786685] Re: Views aren't restricted by permission

Sun, 22 May 2011 18:07:26 -0700

Yes, that's what prageeth's annotations do, the getter for the gametoken in GameData should be marked with something along the lines of PUBLIC=admin, PRIVATE=guest
Meaning that unless you're an admin, you can only see the gametoken if it belongs to a game in a devteam you are part of. Last I checked these annotations worked (ie viewing a different user). Can you check that you're not logged in as an admin and try seeing the gametoken? 




On 23/05/2011, at 10:53 AM, Matt Giuca <[email protected]>  
wrote:



The edit page itself should be blocked, but there's nothing  
stopping them from viewing those

fields (because they need to) if they do edit an object and pass it
back it will refuse to write it


That's true for a few cases, but absolutely not in general. Case in
point: The GameToken should NOT be visible to someone outside the
devteam. I suppose all of the other fields of Game should be visible.
Are there any other fields which should not be shown to all? If not,
then I suppose we can make a special case for GameToken.

Is there any infrastructure at the moment for denying view access on
specific fields?

--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685

Title:
 Views aren't restricted by permission

Status in Melbourne University Game-based Learning Environment:
 Triaged

Bug description:
 The permissions system stops you from writing anywhere you shouldn't,
 but there don't appear to be any restrictions on what you can view.
 Any user can go around to #!/devteam/game/+edit and see everything
 there, including all the badges, and the game token.


 Users need to be restricted from accessing certain kinds of data.  
Note
 that this can't be done on the client side. The server needs to  
refuse

 to give you certain objects (or refuse to fill in certain fields) if
 you ask for them.

--
Mailing list: https://launchpad.net/~mugle-dev
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~mugle-dev
More help   : https://help.launchpad.net/ListHelp


--
Mailing list: https://launchpad.net/~mugle-dev
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~mugle-dev
More help   : https://help.launchpad.net/ListHelp














    











					Reply via email to