Project

General

Profile

Actions

Bug #16807

closed

test mail button requires excessive priviledges

Added by Steve Traylen about 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
E-Mail
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When trying the the test mail button I believe I run into a missing ACL?

016-10-05 13:40:44 [app] [I] Started PUT "/users/5-straylen/test_mail" for 188.184.65.139 at 2016-10-05 13:40:44 +0200
2016-10-05 13:40:44 [app] [I] Processing by UsersController#test_mail as */*
2016-10-05 13:40:44 [app] [I] Parameters: {"user_email"=>"", "id"=>"5-straylen"}
2016-10-05 13:40:44 [app] [I] Rendered common/403.html.erb (1.4ms)
2016-10-05 13:40:44 [app] [I] Filter chain halted as :authorize rendered or redirected

the button works as admin.

Comment from IRC:

The button requires that the user has either create or edit_users, which is clearly unnecessary.


Related issues 1 (0 open1 closed)

Has duplicate Foreman - Bug #20410: Getting 403 forbidden error while setting the email preference or sending the test email with a normal user with viewer access Duplicate07/26/2017Actions
Actions

Also available in: Atom PDF