#1973 We should make Admin privileges sticky (see description)

v1.0.0
closed
John Hoffman
sf-2 (994)
General
nobody
2015-08-20
2011-04-19
Chris Tsai
No

https://sourceforge.net/apps/trac/sourceforge/ticket/17513

Hello,

I have a project called u/f-javier, I don't created it and I don´t know what is it.

The web of the project shows a 403 error message: Read access required.

I can't enter in project settings.

The project must be deleted, Can you help me?

Thanks, f-javier.

User https://sourceforge.net/u/ofthelit/profile/ is also affected.

Something weird going on with these permissions?

https://sourceforge.net/u/apotheon/profile/ is affected too.

Discussion

  • Mark Ramm - 2011-08-19

    You should not be able to remove the last project admin.

     

  • Mark Ramm - 2011-08-19

    You should not be able to remove permissions from the admin group.

    • summary: users getting 403 errors on their own user projects [17513] --> We should make Admin privileges sticky (see description)
     

  • Dave Brondsema

    Dave Brondsema - 2011-08-19

    Admin group should always be able to do everything. In this case, admin should still be able to 'read' even though the 'read' perm group is empty.

    • summary: users getting 403 errors on their own user projects [17513] --> We should make Admin privileges sticky (see description)
     

  • Dave Brondsema

    Dave Brondsema - 2011-08-19
    • labels: --> support
    • summary: We should make Admin privileges sticky (see description) --> users getting 403 errors on their own user projects [17513]
    • size: --> 2
     

  • Anonymous - 2011-08-21

    Originally by: apotheon

    • Description has changed:

    Diff:

    --- old 
+++ new 
@@ -19,3 +19,6 @@
 User https://sourceforge.net/u/ofthelit/profile/ is also affected.

 Something weird going on with these permissions?
+
+----
+https://sourceforge.net/u/apotheon/profile/ is affected too.
     

  • Tim Van Steenburgh - 2011-08-23
    • status: open --> in-progress
    • assigned_to: Tim Van Steenburgh
     

  • Tim Van Steenburgh - 2011-08-24
    • status: in-progress --> code-review
    • assigned_to: Tim Van Steenburgh --> John Hoffmann ☠
     

  • Tim Van Steenburgh - 2011-08-24

    forge:tv/1973

    This was a two-part change:
    1. Prevent user from removing all Admins on a project.
    2. Implicitly give project Admins all other permissions on the project, its apps, and subprojects.

    Functional tests are included for both changes.

    To test #1:
    Go to /p/test/admin/groups and try to remove all users from the Admin group. You should get a flash message stating that you must have at least one Admin.

    To test #2:
    Make sure you are logged in as a user that is a project admin but not a nbhd admin. Go to /p/test/admin/tools and open the permissions for an installed tool. Remove permissions that would affect an Admin, then make sure you can still perform the actions guarded by those permissions.

    For example, remove anonymous from the Read permission on the Wiki tool. On current dev, this will prevent a project Admin from reading the Wiki, b/c anonymous is a subrole of Admin, and unless you give Admin the Read permission back explicitly, Admin won't have Read. On tv/1973, Admin should implicitly still have Read on the Wiki after you remove *anonymous.

    Try this on a user project also, and with other tools and permissions.

     

  • John Hoffman - 2011-08-25
    • status: code-review --> closed
     

  • John Hoffman - 2011-08-25

    Tested fine here, merged to dev.

     

Log in to post a comment.