Student Success Plan
  1. Student Success Plan
  2. SSP-1839

Cannot create private MAP Template if not granted MAP_PUBLIC_TEMPLATE_WRITE

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: SSP 2.0.0, SSP 2.1.0, SSP 2.0.1
    • Fix Version/s: SSP 2.1.0, SSP 2.0.1, SSP 2.2.0
    • Component/s: MAP
    • Labels:
      None

      Description

      If a user hasn't been granted MAP_PUBLIC_TEMPLATE_WRITE they can, unexpectedly, only create public templates.

      The client-side fix has already been committed as https://github.com/Jasig/SSP/commit/d9b2d9c7811472328367baaab4e90db29f2dc9c6 (rel-2-0-patches). We still need to add server-side code to prohibit creation of public templates directly via the API if the current user does not hold a MAP_PUBLIC_TEMPLATE_WRITE grant.

      Complete fix will be in 2.0.1 first, then needs to be merged up to 2.1.0 and 2.2.0. Leaving a merge-to-2-0 label on this, though, b/c that's what we're effectively using to keep track of 11th-hour 2.0.1 fixes.

        Activity

        Hide
        Dan McCallum added a comment -

        Jim, please fix in rel-2-0-patches first and mark Resolved when done, keeping all labels.

        Questions welcome, of course.

        Show
        Dan McCallum added a comment - Jim, please fix in rel-2-0-patches first and mark Resolved when done, keeping all labels. Questions welcome, of course.
        Hide
        Dan McCallum added a comment -

        Reopening because the server-side fix prevents an under-permissed user from saving a public template as private. (Should always be able to go that way, just not the other way.)

        Show
        Dan McCallum added a comment - Reopening because the server-side fix prevents an under-permissed user from saving a public template as private. (Should always be able to go that way, just not the other way.)
        Hide
        Dan McCallum added a comment -

        Resolving again and adding the 2.1.0 fix version. Leaving all merge labels attached pending QA.

        To try to clarify the current rules... MAP_PUBLIC_TEMPLATE_WRITE is required for

        1. Creating a public template
        2. Editing an existing template and setting it to public, regardless of its original state
        3. Deleting a public template

        So... if you don't have that permission you're not allowed to edit a public template unless the edit includes flipping it to private. Prior to these most recent commits you couldn't edit a public Template, period.

        Note that this doesn't mean an underpermissed user can run around flipping other users' templates to private... that action will still create an all-new template and leave the original template intact.

        Show
        Dan McCallum added a comment - Resolving again and adding the 2.1.0 fix version. Leaving all merge labels attached pending QA. To try to clarify the current rules... MAP_PUBLIC_TEMPLATE_WRITE is required for Creating a public template Editing an existing template and setting it to public, regardless of its original state Deleting a public template So... if you don't have that permission you're not allowed to edit a public template unless the edit includes flipping it to private. Prior to these most recent commits you couldn't edit a public Template, period. Note that this doesn't mean an underpermissed user can run around flipping other users' templates to private... that action will still create an all-new template and leave the original template intact.
        Hide
        Jason Elwood added a comment -

        QA'd on Linux CI running 2.0.1. Already merged to 2.1 and will QA that next.

        Show
        Jason Elwood added a comment - QA'd on Linux CI running 2.0.1. Already merged to 2.1 and will QA that next.
        Hide
        Dan McCallum added a comment -

        There are three total commits for this on rel-2-1-patches, but one has a NOJIRA, matching the corresponding commit in rel-2-0-patches (referenced in the ticket description). The three related commits on rel-2-1-patches, in the order in which they were committed. are:

        1. 567b49630e247e72463e38b8002cd1ac18448f8e (NOJIRA)
        2. 30d919eb212d5e3285ba01f4efb5b7e5b121e30e
        3. 62912c5351200d2610a859d5204151329a25e671
        Show
        Dan McCallum added a comment - There are three total commits for this on rel-2-1-patches , but one has a NOJIRA, matching the corresponding commit in rel-2-0-patches (referenced in the ticket description). The three related commits on rel-2-1-patches , in the order in which they were committed. are: 567b49630e247e72463e38b8002cd1ac18448f8e (NOJIRA) 30d919eb212d5e3285ba01f4efb5b7e5b121e30e 62912c5351200d2610a859d5204151329a25e671
        Hide
        Dan McCallum added a comment -

        Cherry-picked into master for 2.2.0. Leaving merge-to-2-2 label attached pending QA.

        Show
        Dan McCallum added a comment - Cherry-picked into master for 2.2.0. Leaving merge-to-2-2 label attached pending QA.

          People

          • Assignee:
            Dan McCallum
            Reporter:
            Dan McCallum
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: