Admin users should not see posts they don't have edit or delete access to.

[elgee]

Basically, when a user is logged into the admin system, they should not be presented with any posts that they can't actually edit or delete.

The presentation of posts implies that the user _can_ edit them, and is thus bad UI. Obviously, as long as there are the appropriate checks on the CRUD actions themselves, it's not a direct security flaw, however it could reveal information (ie if you have special markup in your posts or something.).

A more severe set of checks may even get to the point where a user can log in, but not access the publish page (thus not accessing the silos). It's the same kind of problem.

More info and previous discussion in comments. Also, my flawed patch attached.

[elgee]

My long discussion with rick_c goes from about here:  http://drunkenmonkey.org/irc/habari/2010-01-13#T23-03-47 to about here  http://drunkenmonkey.org/irc/habari/2010-01-13#T23-53-39

In it, a couple of important points are made

1) My patch is crap. There are a couple of chunks of code that i wrote and didn't check because it wasn't relevant to me. I'm sorry. I won't do it again :)

2) The hardest bit in the problem is the case where the user has own_posts && post_{type}. In this case, we should show owned posts and all posts of type(s). See the patch for more description. L65 is the relevant code. The difficulty is that the only way i could find to do it properly is to write custom where code. Which works, but then pagination and timelines break, as posts::get doesn't seem to be very happy when we use custom where clauses.

3) As a whole, the problem and associated patch uncovers a whole can of worms around::

a) the inflexibility of (my understanding of) pagination
b) the scaryness of custom wheres

or alternately

c) the inability to do 'OR's effictively in Posts::get

however, having said that, to my mind, they are /hard/ problems.

I don't think the solution of "well they can see them anyway in the front end" is appropriate, as that may not be the case. Consider draft posts.

[Konzertheld]

Users are no longer able to edit posts they are not permitted to edit, but you do not need to be an admin to view other users' drafts. You just need an account to log in and the permission to view posts (which you should have to view _published_ posts in the frontend) - then you can see all the posts including drafts.

[michaeltwofish]

Related #1270.

[rickc]

Related #1092.

[rickc]

The attached patch, based on the original patch, may be a slightly simpler method to accomplish the same purpose. It avoids the issue of a custom search or trying to OR conditions together.