-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ajax toggle publish status action has incorrect permission check. #13683
Comments
The problem lies in the Ajax controllers check for toggle publishStatus action. This part checks the permissions.
What this does, is it checks if the full permission exists, which it does. Then checks if permission is granted (which is not), and thus skips the further checks. If somebody can provide some pointers to existing code where this is done correctly i'm happy to create a PR. I think the simplest adjustment is keep checking untill we encounter true, so that would be something like below.
|
Mautic Version
5.0.x series
Way of installing
I installed with composer using https://github.com/mautic/recommended-project
PHP version
8.1
What browsers are you seeing the problem on?
Not relevant
What happened?
When a user does not have the full access to an entity he cannot use the toggle publish status action.
How can we reproduce this issue?
Step 1: Remove administrator / full access to contact segments for a user. Give edit / view permission.
Try to toggle publish status in segment list overview. See access denied, while this should be granted.
Relevant log output
No response
Code of Conduct
Care about this issue? Want to get it resolved sooner? If you are a member of Mautic, you can add some funds to the Bounties Project so that the person who completes this task can claim those funds once it is merged by a member of the core team! Read the docs here.
The text was updated successfully, but these errors were encountered: