Loris icon indicating copy to clipboard operation
Loris copied to clipboard

Published 20 hours ago verified publisher icon aces

I can see a candidate's visit list even though I don't belong to the same project as him/her

Open nicolasbrossard opened this issue 4 years ago • 1 comments

Describe the bug Found on branch main, with RB data.

I create a user that has permission access_all_profiles and belongs to project Challah. When I log in and click on Access Profile, I can only see candidates associated to project Challah, which is OK. I can nevertheless access a candidate's visit list even though the candidate is not associated to project Challah by typing the appropriate URL in my browser (i.e. http://my_vm_host/587630, where candidate 567830 is the ID of a candidate that belongs to Pumpernickel).

What did you expect to happen? I should have been taken to a page that tells me I do not have permission to view this.

nicolasbrossard avatar Aug 25 '20 18:08 nicolasbrossard

Note the Candidate class implements the AccessibleResource interface.. so whoever tackles this should probably fix it by calling isAccessibleBy on the candidate instance so that the place for the rules for a candidate is centralized in one place.

driusan avatar Aug 25 '20 18:08 driusan