A) Switching from production in experiment A to analysis in experiment B leaves user with production abilities.
1) Turn off root for yourself.
2) Have production in for DUNE and analysis for SAMDEV
3) On the main page I changed myself to DUNE production
4) Now change to SAMDEV
5) The URL shows production, but the dropdown shows analysis. The forms allow production access.
B) Manually changing the link from analysis to production gives access to production data.
Note: changing the experiment in the link IS caught. We need to add a test for role at this same point.
#1 Updated by Marc Mengel about 2 months ago
- % Done changed from 0 to 90
- Status changed from New to Resolved
So the security bug is fixed; but now of course the user gets a permission denied error page, and has to go back in their browser, change role first, then change experiment...
Better we should know what their max level is for each experiment, and if they switch experiments to a role they don't have, knock the role down too..