Opened 12 years ago
Last modified 12 years ago
#979 new defect
Privileges / Editor could create metadata in groups there are not member of
| Reported by: | fxp | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | v2.10.0 RC0 |
| Component: | General | Version: | |
| Keywords: | Cc: |
Description
Using the metadata.create service, user could create new record in all groups (even if the user is not a member).
http://localhost:8080/geonetwork/srv/eng/metadata.create.new?id=13&group=51&currTab=simple
The GUI only display user groups, so that should not happen.
Add a ServiceNotAllowedEx exception in that case.
Note:
See TracTickets
for help on using tickets.
Editor can also publish in "reserved" group (ie. internet, intranet, guest) using the metadata.admin service and _0_0=on to publish to intranet for example.
Add a ServiceNotAllowedEx exception in that case.