Peter, I vaguely recall the conversations around (similar, not exactly the same) permissions at the time this was implemented, and it was decided to allow this due to time constraints. I do not object to your proposal to change this (maybe Matt Gilman feels differently?). If you open a Jira, it should be doable.
Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 27, 2018, at 9:32 AM, Peter Wicks (pwicks) <pwi...@micron.com> wrote: > > While experimenting with permissions, I found that if I have no permissions > to a process group, but do have permissions to a child that lives in that > group, I can move that child around on the UI. > > I know that in the object model the x,y position values are part of the > child, which I have access to; but in this scenario it feels like I'm allowed > to modify things in a group where I have no permissions. I propose that users > can't move (x,y) objects if they do not have modify access to the parent > group. Thoughts? > > --Peter
signature.asc
Description: Message signed with OpenPGP using GPGMail