On 01/05/13 01:42, Olemis Lang wrote:
> On 4/30/13, Anze Staric <anze.staric@gmail.com> wrote:
>> Both product list and global dashboard currently require PRODUCT_VIEW
>> permission in global context and are therefore not visible to
>> anonymous users.
>>
>> Are there any unwanted consequences if we grant this permission to all
>> users (in global env) during the upgrade?
>>
> Please do not do that . It's annoying when upgrades hijack the
> decisions made by admins + users ... especially when it comes to
> security & permissions which might compromise the stability ,
> confidentiality policies , ... of certain environments .
>
Olemis is right in principle. We should never be setting user
permissions on an upgrade.
I am not convinced that PRODUCT_VIEW is the correct permission for
showing this page as a whole. Although in a sense it is still messing
with decisions on permissions, we could change it to TICKET_VIEW. If it
is not already in place we also need to make sure that we are able to
determine which products a user should have access to along with
respecting the permissions of anything within each product that might
get displayed.
Cheers,
Gary
|