Booking reservations should not require global permissions

Bug #1835127 reported by Jeff Davis
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

In the IDL, permissions for booking.reservation and booking.reservation_attr_value_map are global in scope (global_required=true). These permissions should be scoped by org unit instead. Following action.hold_request, I would suggest using pickup_lib as the context field.

tags: added: booking permissions
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1873048-lp1835127-booking-perms scopes reservation perms as suggested:;a=commitdiff;h=0be427d6

There's an additional commit in that branch that adds a scoped retrieve perm for booking resource types (see bug 1873048).

Changed in evergreen:
milestone: none → 3.5.0
tags: added: pullrequest
Revision history for this message
Jane Sandberg (sandbergja) wrote :

Thanks for the branch, Jeff. I do have a concern about adding permission="ADMIN_BOOKING_RESOURCE_TYPE" back to retrieving brt. I removed that permission because of this issue:

Granted, there are other ways to address the issue Terran describes in that comment. But we should make sure to address it in another way before adding these perms back.

Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Good point. A separate view permission should do the trick, I think. I'll put together a branch for that.

Changed in evergreen:
importance: Undecided → Medium
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1835127-reservation-perms adds scoping and new view perms for reservations:;a=shortlog;h=refs/heads/user/jeffdavis/lp1835127-reservation-perms

Changed in evergreen:
milestone: 3.5.0 → 3.5.1
Changed in evergreen:
milestone: 3.5.1 → 3.5.2
Revision history for this message
Chris Sharp (chrissharp123) wrote :

Pushed to rel_3_4, rel_3_5, and master. Thanks, Jeff and Jane!

Changed in evergreen:
status: New → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.