READ only user can create collections/dashboard with using magic link

XMLWordPrintable

    • Type: Bug Report
    • Resolution: Fixed
    • Priority: L3 - Default
    • 3.10.0-alpha1, 3.10.0
    • Affects Version/s: None
    • Component/s: backend
    • None
    • Not defined

      Brief summary of the bug. What is it ? Where is it ?

      Steps to reproduce:

      1. Create a process, deploy and start an instance.
      2. Give Read only user authorization to Optimize user
      entity:  # which users are authorized to create/edit/delete Optimize entities outside of a collection.  # Available options: 'all', 'superuser', 'none'  
 authorizedEditors: "all"

            3. Login to Optimize 

            4. Create a collection/dashboard using magic link 

      https://<OPTIMIZE_ROOT_URL>/#/collection/<PROCESS-DEF-KEY>/dashboard/<PROCESS-DEF-KEY>

      Actual result:

      Magic link is hidden on the Processes page but Read only user can create collection/dashboard using the magic link on browser.

      Expected result:

      Read only user shouldn't be able to create collection/dashboard using magic link on browser. We can show an error message and navigate the user to the main page of Optimize or Processes page(can be discussed).

            Assignee:
            Unassigned
            Reporter:
            Cigdem Ilhan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: