Change
Default view and factsheet form
Issue description
There was a change in behavior due to a bugfix: the form used to display the fields for the default view if no explicit view id was passed in the URL. This was changed to display the all fields when fixing issue 6518. Rethink all that and make sure it is secure.
Developer comments
There is various problems here: 1) existing service code assumes that the viewless edit url brings up the default view. 2) when a user has a restricted view on a topic type (default view), he can easily circumvent that by simply removing the view id from the form url.
Currently the regression test for [5671, issue 5671] is failing. Resolving this must make the test pass ideally without adjusting the form url in the test which means undoing the changes from [6518, issue 6518].
Currently when viewing the default view was implicit and when editing it must be explicit. Rightwise i do not think it matters but i think it should be implicit in both cases.
|
Work sessions
Start |
2016-12-23T09:10:48
|
End |
2016-12-23T11:11:12
|
Participant |
Robert Cerny
|
|
We are sorry
This page cannot be displayed in your browser. Use Firefox, Opera, Safari, or Chrome instead.