Project

General

Profile

Actions

Bug #871

closed

not to let guests seeing hidden images or access data-changing viewer tools

Added by Anchi Cheng about 14 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Hou
Category:
-
Target version:
-
Start date:
09/10/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
Appion/Leginon 2.0.2
Show in known bugs:
No
Workaround:

Description

Currently, guest privilege can still hide images, view hidden images, remove active targets from running leginon session he/she has access to. That is not good.

Actions #1

Updated by Anchi Cheng about 14 years ago

  • Status changed from Assigned to In Code Review
  • Assignee changed from Anchi Cheng to Amber Herold
  • % Done changed from 0 to 100

committed in r14772 the viewer-related functions
Not sure yet if ACE icon should also be hidden. Leave it commented out for now.

r14774 makes sure that direct url typing to removequeue.php does not work for guest or non-owner, either.

testing:
1. login as guest and go to any image viewer. buttons to set Exemplar, Hidden, and to remove queued targets (Q with a diagonal line) should not show.
2. Copy the link from a remove-queue button while login as an authorized owner, and then past the script to the browser. It should show 'Operation not allowed'

Actions #2

Updated by Amber Herold about 14 years ago

  • Status changed from In Code Review to In Test
Actions #3

Updated by Amber Herold about 14 years ago

  • Assignee changed from Amber Herold to Eric Hou
Actions #4

Updated by Anchi Cheng about 14 years ago

Found one more. [make jpeg] in any viewer.php is a processing function that guests should not perform, so hide it in r14826

Actions #5

Updated by Sargis Dallakyan almost 7 years ago

  • Status changed from In Test to Closed
Actions

Also available in: Atom PDF