Employee with "Can edit group membership" can move clients between offices with no need for a permission

Description

Employees with "Can edit group membership" can move clients between offices without the need for the "Can edit office membership" rule

Repro:
1-remove the "Can edit office membership" from the users permission
2-search for a client
3-click on edit branch membership
4-permission works
5-workaround is to add group membership
6-enter a group name in another office
7-join group

you can find that the client has been moved to the other office without the need for the permission to do that

Expected result:
employees with no permission to edit office membership, should not be able to change the office_id for any client even by using the edit group membership

Environment

LSIM
GLIM
Centers Off

Activity

Show:
Krzysztof Kaczmarczyk
May 7, 2013, 1:02 PM

Fixed in commit: 80ff838110f23fa98c2a14ffbd307c1cbab452df

MichaƂ Spica
May 8, 2013, 2:42 PM

Permission work properly.
Build Date Wed May 08 03:04:07 PDT 2013
Build Number hudson-head-master-archive-1501

Fixed

Assignee

Krzysztof Kaczmarczyk

Reporter

George Lteif

Labels

None

URL

None

Story Points

None

Team

Core

Scheduled For

None

Epic

None

Notify

None

productboard URL

None

Man Day Estimate

None

Time tracking

0m

Time remaining

5h

Components

Fix versions

Affects versions

Priority

Critical
Configure