main icon indicating copy to clipboard operation
main copied to clipboard

Published 20 hours ago verified publisher icon affinityworks

BUG: organizer gets de-escalated permissions when accessing group from profile page

Open Matt-Holland opened this issue 7 years ago • 0 comments

Given a user who has Organizer privileges on group A, and where group B is an affiliate of (i.e. publishes admin rights to) group A, the user should have Organizer rights on group B. The bug is that while this does work when the user accesses the affiliated group from the "Groups" tab on the "parent" group, it does not work when the user accesses the same affiliated group page via the link in the http://app.affinity.works/profile page.

This is true regardless of whether the user has an existing membership with the affiliated group or not:

scenario A

  1. log in, arrive on profile page
  2. in list of groups, click Sister District Regional (where user is a member), arrive at http://app.affinity.works/groups/122/dashboard
  3. select "groups" tab to arrive at http://app.affinity.works/groups/122/affiliates
  4. click link for Sister District MA08 (group 137) (this group publishes it's affiliation to group 122, but the user is not a member or organizer of group 137
  5. result: user gets the "organizer" view of group 137 (CORRECT)

scenario B

  1. log in, arrive on profile page
  2. in list of groups, click Sister District MA08
  3. result: get MEMBER view of group 137 (WRONG)

scenario C

  1. log in, arrive on profile page
  2. in list of groups, click Sister District Regional (where user is a member), arrive at http://app.affinity.works/groups/122/dashboard
  3. select "groups" tab to arrive at http://app.affinity.works/groups/122/affiliates
  4. click link for Sister District MA07 (group id 136) (user is a plain member, but also this group publishes it's affiliation to group 122)
  5. result: get "Organizer" view of group 136 (CORRECT)

scenario D

  1. log in, arrive on profile page
  2. in list of groups, click Sister District MA07 (group id 136) (user is a plain member, but also this group publishes it's affiliation to group 122)
  3. result: get MEMBER view of group 136 (WRONG)

Background info: user: Michelle Ottaviano id: 2267177

User's memberships: groupid, personid, role, groupname 3,2267177,1,SDP MA04 9,2267177,0,SisterDistrict MA04 122,2267177,0,Sister District Regional 123,2267177,0,Sister District - MA 136,2267177,0,Sister District MA07

Groups Affiliated with (i.e. publishing to) Sister District Regional (group 122): id, name 14,'SisterDistrict MA04 : West' 133,'Sister District MA01' 12,'SisterDistrict MA04 : South' 123,'Sister District - MA' 10,'SisterDistrict MA04 : North-West' 136,'Sister District MA07' 3,'SDP MA04' 125,'SisterDistrict MA02' 11,'SisterDistrict MA04 : RiseUp' 138,'Sister District MA09' 137,'Sister District MA08' 134,'Sister District MA03' 124,'Sister District - RI' 13,'SisterDistrict MA04 : South Coast' 126,'SisterDistrict MA05' 135,'Sister District MA06' 9,'SisterDistrict MA04 : North-East'

Matt-Holland avatar Jan 12 '18 01:01 Matt-Holland