Bug #16807
test mail button requires excessive priviledges
Description
When trying the the test mail button I believe I run into a missing ACL?
016-10-05 13:40:44 [app] [I] Started PUT "/users/5-straylen/test_mail" for 188.184.65.139 at 2016-10-05 13:40:44 +0200
2016-10-05 13:40:44 [app] [I] Processing by UsersController#test_mail as */*
2016-10-05 13:40:44 [app] [I] Parameters: {"user_email"=>"steve.traylen@cern.ch", "id"=>"5-straylen"}
2016-10-05 13:40:44 [app] [I] Rendered common/403.html.erb (1.4ms)
2016-10-05 13:40:44 [app] [I] Filter chain halted as :authorize rendered or redirected
the button works as admin.
Comment from IRC:
The button requires that the user has either create or edit_users, which is clearly unnecessary.
Related issues
Associated revisions
Fixes #16807 - remove premission edit_users for test_mail
(cherry picked from commit 25236783e8c59028e78652e15106d9c1e7ef6778)
History
#1
Updated by The Foreman Bot almost 6 years ago
Updated by - Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4595 added
#2
Updated by Ohad Levy almost 6 years ago
Updated by - Legacy Backlogs Release (now unused) set to 240
#3
Updated by Amir Fefer almost 6 years ago
Updated by - Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 25236783e8c59028e78652e15106d9c1e7ef6778.
#4
Updated by Daniel Lobato Garcia almost 6 years ago
Updated by - Legacy Backlogs Release (now unused) changed from 240 to 266
#5
Updated by Daniel Lobato Garcia over 5 years ago
- Has duplicate Bug #20410: Getting 403 forbidden error while setting the email preference or sending the test email with a normal user with viewer access added
#6
Updated by Tomer Brisker over 5 years ago
Updated by - Assignee changed from Steve Traylen to Amir Fefer
Fixes #16807 - remove premission edit_users for test_mail