Page MenuHomePhabricator

Restrict growthsetmentor command to mentors only
Open, Needs TriagePublic


Currently API command growthsetmentor (POST like is overly free to use IMHO.
The only restriction I found: user A cannot set mentor - mentee relation between users B and С (so two other users). That later gives "permissiondenied" error.
Otherwise user A can be the mentor and change his/her mentee. Or user A can be the mentee and change his/her mentor. The last seems to break the idea to randomly evenly distribute newcomers between experienced volunteers.

My proposal is: if the query is from a mentor then OK, otherwise (a mentee) it should be done by contacting the current mentor and to argument the need to move to some other specific mentor,