|
 |
|
|
Report a Bug
>
WebGUI Bug Tracker
|
|
|
User
|
zzois
|
|
Date
|
4/26/2008 12:11 pm
|
|
Severity
|
Critical (mostly not working)
|
|
Version
|
WebGUI Beta 7.5.10
|
|
Views
|
97
|
|
Rating
|
0
Rate [ | ]
|
|
Karma Rank
|
0.000000
|
|
|
Previous
·
Next
|
zzois
|
Date: 4/26/2008 12:11 pm · Subject: Wrong Thingy (Thing) permissions · Rating: 0
1) This bug concerns add_url variable available in all Thingy Thing related templates (Thingy Edit Thing Template, Thingy View Thing Template and Thingy Search Thing Template).
2) It also concerns (malfunctioning) permissions set by "Who can edit?" option under Edit Screen tab available on Edit/Add Thing administration screen of every Thingy Thing.
As both problems seem to stem from same source, I file them as one bug. Please advise if you beleive I should have done otherwise.
--
Regarding 1)
add_url variable is erroneously defined and available only if user viewing the Thing has "Who can edit?" permissions set - instead it should be available if user has appropriate "Who can add?" privileges.
Operation of adding new data is nevertheless allowed if one manually enters appropriate URL into the browser adressbar!
My conclusion is that add_variable is somehow tied to wrong set of permissions.
Regarding 2)
If one has adequate "Who can edit?" permissions (set in Edit Screen tab available on Edit/Add Thing administration screen), one is still not able to delete existing Thing data entries. This should not be so as same user already has ability to change them (taking into account direct DataForm comparison).
It is also inconsistent with ways other Assets behave, where having "Who can edit?" permissions allows one to edit and/or delete Asset and its properties.
--
As a plus observation I can report that having "Who can edit?" permissions on parent Thingy grants ability to edit/delete all daughter Things, regardless if user has appropriate "Who can edit?" privileges for all of them...
In itself I don't find such behaviour to be a bug, but only a bit strange - I can accept rationale that having edit permissions on parent (Thingy) implies same permissions for its daughter elements (Things), but again it seems at least a bit inconsistent with ways other Assests function in regards to their dauther elements.
I do realize, comparing Thingy-Thing ralations to other conventional mother-dauther Assets relations is not totally fair... ;-)
|
| Back to Top |
Rate [ | ]
|
| |
zzois
|
Date: 4/26/2008 12:20 pm · Subject: Re: Wrong Thingy (Thing) permissions · Rating: 0
I can reproduce this on http://beta.webgui.org
|
| Back to Top |
Rate [ | ]
|
| |
yhkhoe
|
Date: 5/1/2008 10:16 am · Subject: Re: Wrong Thingy (Thing) permissions · Rating: 0
The two problems you report are related, but they don't stem from the same source. So, since you ask, i would have preferred two seperate bug reports in this case, but it doesn't really matter that much in this case.
The second problem is fixed in 7.5.11. I'm working on a fix for the first problem.
--
As a plus observation I can report that having "Who can edit?" permissions on parent Thingy grants ability to edit/delete all daughter Things, regardless if user has appropriate "Who can edit?" privileges for all of them...
In itself I don't find such behaviour to be a bug, but only a bit strange - I can accept rationale that having edit permissions on parent (Thingy) implies same permissions for its daughter elements (Things), but again it seems at least a bit inconsistent with ways other Assests function in regards to their dauther elements.
I do realize, comparing Thingy-Thing ralations to other conventional mother-dauther Assets relations is not totally fair... ;-)
I think there are two different parent-child relations that can be found in wobjects.
In the first case both parent and child are assets, for example a messageboard that has threads. In this case i think the child usually has, and should have, its own permissions.
In the second case the parent is an asset and the child is collateral data, for example a Survey and its questions or Thingy and its Things. In that case i think that permissions on the parent will usually imply permissions on the children. I haven't looked at all wobjects to see if this is the case. But i think there are exceptions to this because there can be good reasons to give children their own permissions in this case.
|
| Back to Top |
Rate [ | ]
|
| |
zzois
|
Date: 5/1/2008 11:03 am · Subject: Re: Wrong Thingy (Thing) permissions · Rating: 0
--
As a plus observation I can report that having "Who can edit?" permissions on parent Thingy grants ability to edit/delete all daughter Things, regardless if user has appropriate "Who can edit?" privileges for all of them...
In itself I don't find such behaviour to be a bug, but only a bit strange - I can accept rationale that having edit permissions on parent (Thingy) implies same permissions for its daughter elements (Things), but again it seems at least a bit inconsistent with ways other Assests function in regards to their dauther elements.
I do realize, comparing Thingy-Thing ralations to other conventional mother-dauther Assets relations is not totally fair... ;-)
I think there are two different parent-child relations that can be found in wobjects.
In the first case both parent and child are assets, for example a messageboard that has threads. In this case i think the child usually has, and should have, its own permissions.
In the second case the parent is an asset and the child is collateral data, for example a Survey and its questions or Thingy and its Things. In that case i think that permissions on the parent will usually imply permissions on the children. I haven't looked at all wobjects to see if this is the case. But i think there are exceptions to this because there can be good reasons to give children their own permissions in this case.
OK, your arguments make sense and in case one needs two sets of data with different editing permissions (e.g. for managing employees data of diferent departments within same company) one always has the ability to create another Thingy and interchange its Thingy Thing data with other(s).
Though it's not as "elegant" as having both sets of the same (company) context under the roof of same Thingy... ;-)
|
| Back to Top |
Rate [ | ]
|
| |
yhkhoe
|
Date: 5/2/2008 12:16 pm · Subject: Re: Wrong Thingy (Thing) permissions · Rating: 0
the first problem (add_url tmpl_var permissions) is also fixed in 7.5.11
|
| Back to Top |
Rate [ | ]
|
| |
|
 |
 |
|
