Record access with "or use field" not correct

troester

Administrator
Staff member
I have a list with edit access = superuser or use field=user.
Logged in as superuser.
Edit icon is shown in the list view.

Edit icon is missing in the viz popup.
Viz is showing the edit icon if I remove the "or use field" in list settings.

(FC 4.3.9)
 
@troester I have been looking into this. I am not sure how this ever worked. Let;s walk through this:

In the Fullcalendar model, the getEvents function, it gets all the sources for the Viz. It then loads the data for each Viz and then loops through each record and builds a array of events to be used by the FC JS library.

While building these events, it calls the listModel canDelete/canEdit/canViewDetails functions. Let's focus on the canEdit. This can be found in the component list model. The canEdit function calls a subFunction canUserDo, passing the data row and the column that should be checked for access (the user column). The subFunction simply passes the work of to the FabrikWorker function canUser do.

So we go over to that function and it mucks about getting the userID of the user who has rights.

Now here is where it gets weird, it does a bunch of safety checks and then at the end says, does the userID in the user column match the logged in user (or the input rowid == -1) and if so returns true. I get the userid match but not sure about the rowid, but that is neither here or there. The point is that since they do not match the function returns -1.

Let's head back to the list model canEdit function. If the canUserDo function returns anything but -1, this function simply returns the result. If however the function returns -1 (which it is doing).

the next bit is where it goes really wrong, it check is we have already done the test and the property $this->access->edit is set and if it is not it then interrogates the authorized viewing level of the user (which for our testing has been user 0 as we are not logged in) and given the default list access is Public and the non logged in user is part of this group, edit is allowed.

Now, the access level thing can be changed but I think the real problem is, why is the userCanDo function not kicking it out of the user id's don't match?

I am reluctant to change this as this code hasn't changed in many many years and I don't know what the impact might be.

I am open to your thoughts.
 
Hmm, I just tested with the old FC, there it's working.
I'll try to step through, but not until tomorrow.
 
Back
Top