Bug #871
closednot to let guests seeing hidden images or access data-changing viewer tools
100%
Description
Currently, guest privilege can still hide images, view hidden images, remove active targets from running leginon session he/she has access to. That is not good.
Updated by Anchi Cheng over 13 years ago
- Status changed from Assigned to In Code Review
- Assignee changed from Anchi Cheng to Amber Herold
- % Done changed from 0 to 100
committed in r14772 the viewer-related functions
Not sure yet if ACE icon should also be hidden. Leave it commented out for now.
r14774 makes sure that direct url typing to removequeue.php does not work for guest or non-owner, either.
testing:
1. login as guest and go to any image viewer. buttons to set Exemplar, Hidden, and to remove queued targets (Q with a diagonal line) should not show.
2. Copy the link from a remove-queue button while login as an authorized owner, and then past the script to the browser. It should show 'Operation not allowed'
Updated by Amber Herold over 13 years ago
- Status changed from In Code Review to In Test
Updated by Amber Herold over 13 years ago
- Assignee changed from Amber Herold to Eric Hou
Updated by Anchi Cheng over 13 years ago
Found one more. [make jpeg] in any viewer.php is a processing function that guests should not perform, so hide it in r14826
Updated by Sargis Dallakyan over 6 years ago
- Status changed from In Test to Closed