Skip to content

multisite: bug in can view management permission because of legacy rule (and extension of permissions to management api) #1425

New issue
New issue
Closed
Bug
#1431
Closed
multisite: bug in can view management permission because of legacy rule (and extension of permissions to management api)#1425
Bug
#1431
Assignees
MyPyDavid
Labels
type:bug
Milestone
RDMO 2.3.3
@MyPyDavid

Description

@MyPyDavid
MyPyDavid
opened on Sep 18, 2025

Description / Beschreibung

It seems that in a multisite setup, where a user with role of editor for site "foo" can also (mistakenly) see the management in site "bar".
The cause of the bug seems to be in the is_legacy_reviewer because the perms that are checked in there do only check for the is_editor and not for the is_editor_for_current_site .

In addition, also the management viewsets should be protected by higher permissions than only "is authenticated".

Expected behaviour / Erwartetes Verhalten

The management access should be site specific according to the assigned roles of the user.

Steps to reproduce / Schritte zum Reproduzieren

  1. Assign an editor to site Foo
  2. Login as that user in site Bar and see the Management in navbar

Context / Kontext

2.3.2

References / Verweise

Metadata

Metadata

Assignees

Labels

type:bug

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions