WHY - blog_editor can edit any CMS page?

10 views
Skip to first unread message

MichaelMackus

unread,
Feb 9, 2012, 6:18:32 PM2/9/12
to apostrophenow
Hello,

I just ran into a very very strange issue. I'm using apostrophe for a
new site for a client, and one of the things the client needed were
the flexible permissions system. But for some reason its not
working...

I have user "demo" with the group (custom created) "Blog users". This
group has the permissions: "blog_admin", "blog_author", "media_admin",
and "media_upload". NO other permissions. I also triple checked the
database and the demo user has is_superadmin flag set to 0.

However, if I log in to this account, the user can edit any CMS page!
What gives? I've tried logging out/back in several times, but no luck.
This is kind of frustrating because we're already way past the
deadline on the site and the client's pestering us to get this
finished, and this is the very last issue on the site...

I tried poking around in a few functions this morning for an hour and
a half or so and can't figure it out for the life of me.... is there
some setting I'm supposed to set? Does this have anything to do with
how we installed the site (not all the permissions exist in the DB)?

Thanks. Any help would be awesome!

Tom Boutell

unread,
Feb 9, 2012, 6:46:50 PM2/9/12
to apostr...@googlegroups.com
Check out your app.yml settings, compare to what's in the demo with
regard to permissions. If you don't set things up correctly, the
default behavior is very permissive.

--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com

Reply all
Reply to author
Forward
0 new messages