
ProjectTransfer: fixed bug
Problem: AccessControl is allowed all requests to site admin or member of the project in isProjectResourceAllowed method, so a user of a project that should be transfered to other user or group, can accept the transfer request. Solution: Changed isProjectResourceAllowed method to check the current user can accept the project-tansfer request prior to check the current use is admin of the group or member of the project.
@01fa7dc6aadbcad0abe7d92d38552dfb1d6339b5
--- app/utils/AccessControl.java
+++ app/utils/AccessControl.java
... | ... | @@ -226,15 +226,7 @@ |
226 | 226 |
* @return true if the user has the permission |
227 | 227 |
*/ |
228 | 228 |
private static boolean isProjectResourceAllowed(User user, Project project, Resource resource, Operation operation) { |
229 |
- if (OrganizationUser.isAdmin(project.organization, user)) { |
|
230 |
- return true; |
|
231 |
- } |
|
232 |
- |
|
233 |
- if (user.isSiteManager() |
|
234 |
- || user.isManagerOf(project) |
|
235 |
- || isAllowedIfAuthor(user, resource) |
|
236 |
- || isAllowedIfAssignee(user, resource) |
|
237 |
- || isAllowedIfGroupMember(project, user)) { |
|
229 |
+ if (user.isSiteManager()) { |
|
238 | 230 |
return true; |
239 | 231 |
} |
240 | 232 |
|
... | ... | @@ -255,6 +247,17 @@ |
255 | 247 |
} |
256 | 248 |
} |
257 | 249 |
|
250 |
+ if (OrganizationUser.isAdmin(project.organization, user)) { |
|
251 |
+ return true; |
|
252 |
+ } |
|
253 |
+ |
|
254 |
+ if (user.isManagerOf(project) |
|
255 |
+ || isAllowedIfAuthor(user, resource) |
|
256 |
+ || isAllowedIfAssignee(user, resource) |
|
257 |
+ || isAllowedIfGroupMember(project, user)) { |
|
258 |
+ return true; |
|
259 |
+ } |
|
260 |
+ |
|
258 | 261 |
// Some resource's permission depends on their container. |
259 | 262 |
switch(resource.getType()) { |
260 | 263 |
case ISSUE_STATE: |
Add a comment
Delete comment
Once you delete this comment, you won't be able to recover it. Are you sure you want to delete this comment?