Access denied error when editing institution group as group admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Ghada El-Zoghbi |
Bug Description
Mahara: 16.04.2
DB: Postgres
OS: Linux
Browser: Firefox
A user assigned the role of 'Admin' in a group is not able to update the group.
This group was created via CSV upload and was assigned to an institution (i.e. institution1).
The group admin user is able to enter the settings and make changes. When they click the 'Save group' button, they get an error:
Access denied
You do not have access to view this page.
group_update: cannot update a group in this institution
The check is on line 577 in htdocs/
* if (!empty(
This check was put in for bug: https:/
Which fixes an issue for groups that are in 'no institution'.
What I don't understand is why it's checking - on line 581 - if a user can edit the institution that group belongs to:
* if (!$USER-
Surely if a user is an admin of the group, they can update it - whether that group is associated with an institution or not. And, if the user can edit that institution or not.
Shouldn't this check be if the user is an admin of the group - not institution?
i.e. replace lines 577 to 584 with:
global $USER;
if (group_
throw new AccessDeniedExc
}
Am I missing something?
Changed in mahara: | |
milestone: | none → 16.10.0 |
status: | New → In Progress |
assignee: | nobody → Ghada El-Zoghbi (ghada-z) |
importance: | Undecided → High |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Patch for "master" branch: https:/ /reviews. mahara. org/6756