-
Type:
Story
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.1 Penguins
-
Fix Version/s: 2.2 Penguins
-
Labels:None
-
Sprint:2.2 Penguins
As an Owner I'd like to add other users into Admins so that I can share administration responsibility with others
Acceptance Criteria
- Under Administration menu there should be Users menu item. Only Admins can see that.
- After pressing it, user gets to the list of users registered in Antarcticle.
- Each row should have username, first name, last name and a column Roles.
- There should be 50 users per page. Search box should search by username/first name/last name (search should be case-insensitive, without suggestion list)
- At the moment there should be 2 roles: User & Admin. A combo box should give a possibility to choose between them.
- After a role is chosen, it should be automatically applied (no Save/Cancel buttons). Some visual effect (green mark, popup, etc) should state a successful end of operation.
- If the role wasn't changed successful (e.g. no connection to server or someone has revoked admin role from the current user), a red popup should explain the error.
- If user was provided with an Admin role, then he can do the same stuff as current admin: editing/removing others articles/comments and see Administration menu.
- User cannot change its own role.
- If user tries to enter a direct address of the page but he has no permissions, he should get 403 Forbidden (and status code should also be 403).
The lowest possible role (User) is assigned in that case, so there no vulnerability here. As for the error messages I see no reason to give any tips to hacky bastard messing up with teh codes. There is no legal way for user to change these values.
1. You're saying that this is safer, but this can be a security hole on its own: bad guy can send a direct request with "blablabla" role for admin and change admin role into user.
2. I think it should be possible to distinguish incorrect and correct data entering. When something goes wrong, it's easier to inspect the problem when the logic is straightforward.
3. Every new QA engineer will run into this and file bugs 
I've retested that issue myself: there is no possibility to change the role by WebDeveloper and role is not changed by direct request with "blablabla". So, I see just one problem: we will get status 200 even nothing happends, and this can be a problem in our future auto and performance tests.
Discussed and agreed to fix it to avoid problems with autotests in future
Test Environment
Win7 FF 29.01
acceptance critaria passed
Additional testing:
Test scenario
1) Checking direct requests
1. Log in at http://qa.jtalks.org/antarcticle/ by the user with "admin" role. Navigate at Role management page (http://qa.jtalks.org/antarcticle/roles) and change role of the user admin to "user"
2. Check with Firebug request sending to server (http://qa.jtalks.org/antarcticle/roles/user/1)
3. Logout and log in by user with "user" role.
4. Send request with text
at the http://qa.jtalks.org/antarcticle/roles/user/1
AR = ER = user will get 403 page
2) Checking search field with DevTool
1. Log in at http://qa.jtalks.org/antarcticle/ by the user with "admin" role. Navigate at Role management page (http://qa.jtalks.org/antarcticle/roles)
2. At dev tools choose Foms->Convert Form Methods-> Convert Get 2 POST
3. At search textfield type " ' " and press "Filter" button
AR = ER = user will get 403 page
Test results:
All requirements, described in current ticket, was implemented, retested and satisfied all conditions
Search is now case-insensitive, table has overflow set up, requested tolltips added, search field has focus by default