[UIAC-30] settings.acquisition-units.enabled should not include ".all" permissions - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: P3
Resolution: Done
Affects Version/s: None
Fix Version/s: 2.4.1
Labels:
- security
- security-reviewed

Template:
customfield_11100 48145
Sprint:
ACQ Sprint 117
Story Points:
1
Development Team:
Thunderjet
Release:
R2 2021 Bugfix
Epic Link:
Order Materials and Services

Description

Summary: The permission-set settings.acquisition-units.enabled is misleadingly named; it also grants write-access via .all permissions:

 92       {
 93         "permissionName": "settings.acquisition-units.enabled",
 94         "displayName": "Settings (acquisition units): display list of settings pages",
 95         "subPermissions": [
 96           "settings.enabled",
 97           "users.collection.get",
 98           "usergroups.collection.get",
 99           "acquisitions-units.units.all",
100           "acquisitions-units.memberships.all"
101         ],
102         "visible": false
103       },

TestRail: Results

Attachments

Issue Links

blocks

UIAC-31 UIAC (ui-acquisition-units) Bugfix release

Closed

defines

UXPROD-3060 Thunderjet - R3 2021 Tech Debt, NFR

In Progress

relates to

FOLIO-3198 UI apps should avoid using ".all" permissions

Open

Activity

People

Assignee:: Andrei Shumski

Reporter:: Zak_Burke

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Jun/21 3:24 AM

Updated:: 26/Jul/21 8:32 PM

Resolved:: 23/Jun/21 7:59 AM

settings.acquisition-units.enabled should not include ".all" permissions