Bug #871
closed
not to let guests seeing hidden images or access data-changing viewer tools
Added by Anchi Cheng about 14 years ago.
Updated almost 7 years ago.
Affected Version:
Appion/Leginon 2.0.2
Description
Currently, guest privilege can still hide images, view hidden images, remove active targets from running leginon session he/she has access to. That is not good.
- Status changed from Assigned to In Code Review
- Assignee changed from Anchi Cheng to Amber Herold
- % Done changed from 0 to 100
committed in r14772 the viewer-related functions
Not sure yet if ACE icon should also be hidden. Leave it commented out for now.
r14774 makes sure that direct url typing to removequeue.php does not work for guest or non-owner, either.
testing:
1. login as guest and go to any image viewer. buttons to set Exemplar, Hidden, and to remove queued targets (Q with a diagonal line) should not show.
2. Copy the link from a remove-queue button while login as an authorized owner, and then past the script to the browser. It should show 'Operation not allowed'
- Status changed from In Code Review to In Test
- Assignee changed from Amber Herold to Eric Hou
Found one more. [make jpeg] in any viewer.php is a processing function that guests should not perform, so hide it in r14826
- Status changed from In Test to Closed
Also available in: Atom
PDF