On 01/05/13 01:42, Olemis Lang wrote:
On 4/30/13, Anze Staric <[email protected]> wrote:
Both product list and global dashboard currently require PRODUCT_VIEW
permission in global context and are therefore not visible to
anonymous users.
Are there any unwanted consequences if we grant this permission to all
users (in global env) during the upgrade?
Please do not do that . It's annoying when upgrades hijack the
decisions made by admins + users ... especially when it comes to
security & permissions which might compromise the stability ,
confidentiality policies , ... of certain environments .
Olemis is right in principle. We should never be setting user
permissions on an upgrade.
I am not convinced that PRODUCT_VIEW is the correct permission for
showing this page as a whole. Although in a sense it is still messing
with decisions on permissions, we could change it to TICKET_VIEW. If it
is not already in place we also need to make sure that we are able to
determine which products a user should have access to along with
respecting the permissions of anything within each product that might
get displayed.
Cheers,
Gary
