access controls broken for site creation in client [#442262]

While developping #371769: allow for n to n and typed user/client relationships, we noticed an inconsistency in the access controls for the site creation form that is in a tab of the Client node type. Basically, there are no access controls there. I can freely create a site for any Client as long as I'm logged in as a client that has the "create site" permission.

This obviously needs to be fixed before release.

Comment	File	Size	Author
#3	client_access.patch	838 bytes	anarcat

Comments

Comment #1

anarcat commented 22 April 2009 at 23:53

The problem is that there is not access check in the form itself. I confirm the issue by more formal testing: my "anarcat" user only has access to the "anarcat" client and was able to create a site in the "admin" client.

Comment #2

anarcat commented 22 April 2009 at 23:58

Assigned:

Unassigned

» anarcat

Comment #3

anarcat commented 23 April 2009 at 00:08

Assigned:	anarcat	» adrian
Status:	Active	» Needs review

Status	File	Size
new	client_access.patch	838 bytes

So here's my stab at this. I'm quite confused by all of this so I would appreciate adrian's eyeballs on this.

Comment #4

anarcat commented 23 April 2009 at 21:55

Status:

Needs review

» Fixed

Fixed in my last commit. There was no access control on the form...

Comment #5

7 May 2009 at 22:00

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

access controls broken for site creation in client

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community