MBS-13108: Require relationship editor, not admin, privs for attributes

There's no real reason this should be locked behind account_admin. It has nothing to do with accounts nor private data, and a lot to do with schema / style, which is what we generally use relationship_editor for (not just relationships but also genres, instruments).
metabrainz · Nov 15, 2023 · 0e6871f · 0e6871f
1 parent cc3e1e4
commit 0e6871f
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/MusicBrainz/Server/Controller/Attributes.pm b/lib/MusicBrainz/Server/Controller/Attributes.pm
@@ -96,7 +96,7 @@ sub attribute_index : Chained('attribute_base') PathPart('') {
     );
 }
 
-sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm {
+sub create : Chained('attribute_base') RequireAuth(relationship_editor) SecureForm {
     my ($self, $c) = @_;
     my $model = $c->stash->{model};
 
@@ -117,7 +117,7 @@ sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm {
     }
 }
 
-sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm {
+sub edit : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm {
     my ($self, $c, $id) = @_;
     my $model = $c->stash->{model};
     my $attr = $c->model($model)->get_by_id($id);
@@ -139,7 +139,7 @@ sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureFo
     }
 }
 
-sub delete : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm {
+sub delete : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm {
     my ($self, $c, $id) = @_;
     my $model = $c->stash->{model};
     my $attr = $c->model($model)->get_by_id($id)