From 0e6871f85cbc0740f8a8c339710115a8ae18e686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Tamargo?= Date: Fri, 8 Apr 2022 19:09:10 +0300 Subject: [PATCH] MBS-13108: Require relationship editor, not admin, privs for attributes There's no real reason this should be locked behind account_admin. It has nothing to do with accounts nor private data, and a lot to do with schema / style, which is what we generally use relationship_editor for (not just relationships but also genres, instruments). --- lib/MusicBrainz/Server/Controller/Attributes.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/MusicBrainz/Server/Controller/Attributes.pm b/lib/MusicBrainz/Server/Controller/Attributes.pm index 06dc4068e28..51fbdf2cf58 100644 --- a/lib/MusicBrainz/Server/Controller/Attributes.pm +++ b/lib/MusicBrainz/Server/Controller/Attributes.pm @@ -96,7 +96,7 @@ sub attribute_index : Chained('attribute_base') PathPart('') { ); } -sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm { +sub create : Chained('attribute_base') RequireAuth(relationship_editor) SecureForm { my ($self, $c) = @_; my $model = $c->stash->{model}; @@ -117,7 +117,7 @@ sub create : Chained('attribute_base') RequireAuth(account_admin) SecureForm { } } -sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm { +sub edit : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm { my ($self, $c, $id) = @_; my $model = $c->stash->{model}; my $attr = $c->model($model)->get_by_id($id); @@ -139,7 +139,7 @@ sub edit : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureFo } } -sub delete : Chained('attribute_base') Args(1) RequireAuth(account_admin) SecureForm { +sub delete : Chained('attribute_base') Args(1) RequireAuth(relationship_editor) SecureForm { my ($self, $c, $id) = @_; my $model = $c->stash->{model}; my $attr = $c->model($model)->get_by_id($id)