Booking reservations should not require global permissions

Bug #1835127 reported by Jeff Davis on 2019-07-02
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

In the IDL, permissions for booking.reservation and booking.reservation_attr_value_map are global in scope (global_required=true). These permissions should be scoped by org unit instead. Following action.hold_request, I would suggest using pickup_lib as the context field.

tags: added: booking permissions
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1873048-lp1835127-booking-perms scopes reservation perms as suggested:;a=commitdiff;h=0be427d6

There's an additional commit in that branch that adds a scoped retrieve perm for booking resource types (see bug 1873048).

Changed in evergreen:
milestone: none → 3.5.0
tags: added: pullrequest
Jane Sandberg (sandbej) wrote :

Thanks for the branch, Jeff. I do have a concern about adding permission="ADMIN_BOOKING_RESOURCE_TYPE" back to retrieving brt. I removed that permission because of this issue:

Granted, there are other ways to address the issue Terran describes in that comment. But we should make sure to address it in another way before adding these perms back.

Jeff Davis (jdavis-sitka) wrote :

Good point. A separate view permission should do the trick, I think. I'll put together a branch for that.

Changed in evergreen:
importance: Undecided → Medium
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1835127-reservation-perms adds scoping and new view perms for reservations:;a=shortlog;h=refs/heads/user/jeffdavis/lp1835127-reservation-perms

Changed in evergreen:
milestone: 3.5.0 → 3.5.1
Changed in evergreen:
milestone: 3.5.1 → 3.5.2
Chris Sharp (chrissharp123) wrote :

Pushed to rel_3_4, rel_3_5, and master. Thanks, Jeff and Jane!

Changed in evergreen:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers