-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 0.20 Larks
-
Fix Version/s: 1.5 Larks
-
Labels:None
-
Epic Link:
-
Sprint:1.5 Larks
1. Check that user has EDIT_PROFILE permssion.
2. Go to user profile page
3. click 'edit profile' button (don't close this tab)
4. Go to admin panel in another tab
5. Add 'registered users' group to restricted section for EDIT_PROFILE permission.
6. Back to tab with 'edit profile' page and click save.
AR: profile is saved
ER: no permission page should be displayed.
NOTE:
TransactionalUserService.editUserProfile(UserInfoContainer info)
on the 2nd line checkPermissionsToEditProfile(currentUser.getId()); is called
@PreAuthorize("hasPermission(#userId, 'USER', 'ProfilePermission.EDIT_PROFILE')")
public void checkPermissionsToEditProfile(Long userId)
it doesn't work because @PreAuthorize is evaluated by Spring when proxy method is called (e.g. when user
calls method of injected service), but here method of real class is called (method of this class).
- duplicates
-
JC-934 Ensure user can't edit profile if he was restricted from this
-
- Closed
-
