Details
-
Bug
-
Resolution: Fixed
-
Major
-
COmanage Registry 0.8.2 (Omnipotent Octagon! Part Deux)
Description
Menu permissions are calculated in such away that if a person is a CO Admin in 1 CO but a member of 2 COs, the menu will render CO Admin-oriented menu items for both COs. (There are additional variations.) This is because the menu permissions are calculated in AppController::menuAuth() on an overall basis, and the links rendered in Elements/dropMenu.ctp can't/don't check the CO-level permission.
Note this only applies to the rendering of the menu item. The actual per-controller authz still happens when the link is clicked.