Commit bc23a6c1 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

disable editing users when curator doesnt't have write access level

parent b85bc9bb
......@@ -13,6 +13,8 @@ minerva (14.0.0~beta.0) unstable; urgency=low
* Bug fix: privilege checking on updating privileges, data overlays were not
sufficient and could lead to access escalation
* Bug fix: user without privileges had edit map input options enabled
* Bug fix: user without privileges had edit map input options for managing
project users
* Bug fix: alignment of tabs fixed for dialogs: "Add Project", "Edit Genome",
"Edit Project", "Edit User" (#881)
......
......@@ -781,12 +781,14 @@ EditProjectDialog.prototype.refreshMaps = function () {
*/
EditProjectDialog.prototype.refreshUsers = function () {
var self = this;
return self.getServerConnector().getLoggedUser().then(function (user) {
var curatorPrivilege = self.getConfiguration().getPrivilegeType(PrivilegeType.IS_CURATOR);
var adminPrivilege = self.getConfiguration().getPrivilegeType(PrivilegeType.IS_ADMIN);
return self.getServerConnector().getLoggedUser().then(function (loggedUser) {
var isAdmin = loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.IS_ADMIN));
var isCurator = loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.IS_CURATOR)) &&
loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.WRITE_PROJECT), self.getProject().getProjectId());
//we need to refresh users as well because of privileges
if (user.hasPrivilege(curatorPrivilege) || user.hasPrivilege(adminPrivilege)) {
return ServerConnector.getUsers(true).then(function (users) {
if (isAdmin || isCurator) {
return self.getServerConnector().getUsers(true).then(function (users) {
return self.setUsers(users);
});
} else {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment