Major Although the access to the page /admin/user-group-management is denied to non-admin thanks to the routing rule at https://github.com/nuxeo/nuxeo-web-ui/blob/maintenance-3.0.x/elements/routing.js#L75 , it is possible to access to a user profile with a URL like /nuxeo/ui/#!/admin/user-group-management/user/jdoe
This ticket is to request that the pages under /admin/user-group-management are forbidden too , in order to have some consistency.
Steps to reproduce:
- Create a user "john"
- Create a user "sarah"
- Make sure that both users only have the members group, they should NOT have admin rights.
- Login as sarah
- Try to access [SERVER_URL]/nuxeo/ui/#!/admin/user-group-management/user/john
=> screen is displayed
=> expected:
- access to this screen should be refused because sarah is not an administrator, behavior should be the same as if you try to access [SERVER_URL]nuxeo/ui/#!/admin/user-group-management
- access to any URL beyond
[SERVER_URL]/nuxeo/ui/#!/admin/user-group-management
should behave the same as if you try to access
[SERVER_URL]nuxeo/ui/#!/admin/user-group-management
- links to
