bloodhound-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Martin <gary.mar...@wandisco.com>
Subject Re: [BEP-0003] Wiki install vs. upgrade
Date Wed, 01 May 2013 09:28:13 GMT
On 01/05/13 01:42, Olemis Lang wrote:
> On 4/30/13, Anze Staric <anze.staric@gmail.com> wrote:
>> Both product list and global dashboard currently require PRODUCT_VIEW
>> permission in global context and are therefore not visible to
>> anonymous users.
>>
>> Are there any unwanted consequences if we grant this permission to all
>> users (in global env) during the upgrade?
>>
> Please do not do that . It's annoying when upgrades hijack the
> decisions made by admins + users ... especially when it comes to
> security & permissions which might compromise the stability ,
> confidentiality policies , ... of certain environments .
>

Olemis is right in principle. We should never be setting user 
permissions on an upgrade.

I am not convinced that PRODUCT_VIEW is the correct permission for 
showing this page as a whole. Although in a sense it is still messing 
with decisions on permissions, we could change it to TICKET_VIEW. If it 
is not already in place we also need to make sure that we are able to 
determine which products a user should have access to along with 
respecting the permissions of anything within each product that might 
get displayed.

Cheers,
     Gary

Mime
View raw message