- Issue created by @jonathan1055
- ๐ฎ๐ณIndia chetan 11
chetan 11 โ made their first commit to this issueโs fork.
- Status changed to Needs review
about 1 year ago 10:19am 19 December 2023 - Status changed to Needs work
about 1 year ago 10:23am 19 December 2023 - ๐ฌ๐งUnited Kingdom jonathan1055
Hi chetan11,
Thank you for working on this. But it is polite when someone has just created an issue, and also created an issue fork branch, to ask if they are doing the work before jumping in and making your own commit, within one hour of the issue being created.
You are welcome to work on this now, I will stop the work I had started.
By the way, your test failed, and you also introduced new phpcs faults. - ๐บ๐ธUnited States moshe weitzman Boston, MA
Why is a wait needed in order to view the h1 text? That should be returned in the initial response, right?
- ๐ฌ๐งUnited Kingdom jonathan1055
@moshe You are right, no wait is needed. That was not the problem, and adding it did not fix the test. I don't know if chetan11 ran it locally or was just taking a guess. I was working on the actual fix locally, but stopped when chetan11 pushed to the MR. I can pick it up again, but was waiting for their response, as I did not want to clash again.
- ๐ช๐ธSpain fjgarlin
I'd say go ahead and create a separate branch/MR to address this. It not only did not fix it, it also broke the one phpunit that was still working.
- Merge request !21Issue #3409652: Admin user needs extra permission โ (Merged) created by jonathan1055
- Status changed to Needs review
about 1 year ago 4:07pm 19 December 2023 - ๐ฌ๐งUnited Kingdom jonathan1055
Done. The pipeline passes all green now. I looked at the generated html and the final page was 'access denied'. I looked back at some other tests for admin users (eg in Scheduler) and saw that they had the extra permission 'administer site configuration'. Adding this fixed the test, and both permissions are now required in 10.2. The previous passing test was in 10.1 where just 'access administration pages' was sufficient.
I have not investigated exactly what core change from 10.1 to 10.2 caused this extra permission to be needed. I guess it was always to be there, and this is a tightening of security, as it prevents one permission showing the top admin page, it needs to be more speciifc now.
-
moshe weitzman โ
committed 2cbddb92 on 8.x-1.x authored by
jonathan1055 โ
Issue #3409652: Admin user needs extra permission
-
moshe weitzman โ
committed 2cbddb92 on 8.x-1.x authored by
jonathan1055 โ
- ๐ฌ๐งUnited Kingdom jonathan1055
jonathan1055 โ changed the visibility of the branch 3409652-phpunit to hidden.
- ๐ฌ๐งUnited Kingdom jonathan1055
In the committed comment I said . This is not precisely correct. Yes 'administer site configuration' is sufficient, but any other "real" admin permission would also be enough to give access to the top-level
/admin
url. - ๐ฌ๐งUnited Kingdom jonathan1055
Yes it can be marked 'fixed'. That comment can stay as-is, it might be right or wrong depending on what happens in core issue ๐ Admin page access denied even when access is given to child items RTBC which was the cause of the problem. Either way, the test passes now.
- Status changed to Fixed
9 months ago 11:02am 24 March 2024 Automatically closed - issue fixed for 2 weeks with no activity.