Item5464: ALLOWTOPICRENAME should not apply to attachments
Current State: Closed
Released In: 1.1.3
Target Release: patch
User is not a member of TWikiAdminGroup
Set ALLOWTOPICRENAME = TWikiAdminGroup
User attempts to delete an attachment on the topic.
Access rename not allowed on topic
This violates the Principle of Least Surprise. Deleting an attachment should fall under ALLOWTOPICCHANGE. The topic
is not being renamed in this case.
Note that adding
or "managing" an attachment falls under TOPICCHANGE as expected.
- 22 Mar 2008
Possible enhancement: ALLOWATTACHMENT* options might be interesting
- 23 Mar 2008
I think your original proposal is best and I agree that it is a bug that ALLOWTOPICRENAME affects renaming an attachment.
I do not think we need more complex access rights. The most reasonable fix would be to let ALLOWTOPICCHANGE be what limits renaming of attachments and only let ALLOWTOPICRENAME control renaming the topic
- 23 Mar 2008
Kenneth - agreed. Just an idea on the additional "Attachment" rights. My primary concern is that adding (or deleting or updating) an attachment should all fall under TOPICCHANGE.
- 25 Mar 2008
- 04 Jan 2009
Fix committed to trunk. Tested on release11 branch as well, but not checked in there yet. Existing unit tests didn't need changes. Added two tests to verify the impact of topic permissions, and one unrelated test to verify that CHANGE is required on the target web of a topic rename.
Kenneth - any thoughts on getting this one into 1.1.3?
- 19 Mar 2011