Bug #11075
Authenticated users can access browse pages and functionality that should be restricted to groups
| Status: | Verified | Start date: | 04/13/2017 | |
|---|---|---|---|---|
| Priority: | Medium | Due date: | ||
| Assignee: | Nick Wilkinson | % Done: | 0% | |
| Category: | User management | |||
| Target version: | Release 2.5.0 | |||
| Google Code Legacy ID: | Tested version: | 2.3 | ||
| Sponsored: | No | Requires documentation: | Yes |
Description
- Create a new user
- Do not add to any groups
- Log out and log back in as that user
- Explore and take notes
Outcome
Basic testing reveals that an authenticated user who is not added to any groups has the following permissions:
- Browse Physical storage
- Browse Rights holders
- Browse Taxonomies (and the view pages for each taxonomy's terms)
- The Jobs page (though they can only see jobs they run, not the jobs of others)
- Generate finding aids
- Export search results
Authenticate users can see the whole of the Add and Manage menus, though all nodes in the Add menu and Accessions/Donors in Manage lead to permission denied pages.
There may be more. Some of these are benign, but in many cases, these might comprise a security risk if institutions are granting some users accounts to access otherwise restricted materials, etc.
Errors encountered to be considered for fixes / Expected outcome
Access to the following, at minimum, should be denied:
- Browse Physical storage
- Browse Rights holders
History
#1 Updated by Dan Gillean over 2 years ago
- Requires documentation set to Yes
Adding "Requires documentation" so that we remember to add this information to the docs.
Relevant back story on permissions module, and on this ticket being filed:
#2 Updated by Nick Wilkinson almost 2 years ago
- Assignee set to Mike Cantelon
HI Mike, can you please take a look at this?
#3 Updated by Mike Cantelon almost 2 years ago
Will do!
#4 Updated by Mike Cantelon over 1 year ago
- Status changed from New to Code Review
- Assignee changed from Mike Cantelon to Nick Wilkinson
CR for PR: https://github.com/artefactual/atom/pull/654
#5 Updated by Nick Wilkinson over 1 year ago
- Assignee changed from Nick Wilkinson to José Raddaoui Marín
Hi Radda, passing to you for CR.
#6 Updated by José Raddaoui Marín over 1 year ago
- Status changed from Code Review to Feedback
- Assignee changed from José Raddaoui Marín to Mike Cantelon
#7 Updated by Mike Cantelon over 1 year ago
- Assignee changed from Mike Cantelon to José Raddaoui Marín
I've responded to feedback in PR.
#8 Updated by José Raddaoui Marín over 1 year ago
- Assignee changed from José Raddaoui Marín to Mike Cantelon
#9 Updated by Mike Cantelon over 1 year ago
- Status changed from Feedback to QA/Review
- Assignee changed from Mike Cantelon to Dan Gillean
Merged into qa/2.5.x.
Here are some things to check for QA:
- Only authenticated users in the contributor, editor, and admin groups should be able to see menu items to add content
- Only administrators should be able to browse physical objects
- Only administrators should be able to browse and delete rights holders
- Only administrators should be able to browse the search/descriptionUpdates page
- Only editors and administrators should be able to browse, and view detail pages for, taxonomies
- Only translators, editors, and administrators should be able to edit terms
- Only contributors, editors, and administrators should be able to browse accessions
- Only translators, editors, and administrators should be able to edit accessions
- Only contributors, editors, and administrators should be able to browse donors
- Only translators, editors, and administrators should be able to edit functions
- Only translators, editors, and administrators should be able to edit repositories
#10 Updated by Dan Gillean over 1 year ago
- Status changed from QA/Review to Feedback
- Assignee changed from Dan Gillean to Mike Cantelon
Hi Mike!
This is looking mostly good, but I did find one issue that might not be easy to resolve.
You noted the following in your changes, which I have tested and reproduced:
Only editors and administrators should be able to browse, and view detail pages for, taxonomies
The only problem is, Subjects and Places are both taxonomies that even public users can browse (and Genres). Further, you've hidden the links in the main browse menu in the AtoM bar, but they are still present on the homepage browse menu. I think ideally anyone should be able to browse subjects, places, and genres. However, I understand that it might be difficult to add specific permissions to just these taxonomies without major changes. Thoughts welcome!
#11 Updated by Dan Gillean over 1 year ago
- Target version set to Release 2.5.0
#12 Updated by Mike Cantelon over 1 year ago
- Status changed from Feedback to Code Review
- Assignee changed from Mike Cantelon to Nick Wilkinson
PR for CR: https://github.com/artefactual/atom/pull/673
#13 Updated by Nick Wilkinson over 1 year ago
- Assignee changed from Nick Wilkinson to José Raddaoui Marín
Hi Radda, can you please CR this?
#14 Updated by José Raddaoui Marín over 1 year ago
- Status changed from Code Review to Feedback
- Assignee changed from José Raddaoui Marín to Mike Cantelon
#15 Updated by José Raddaoui Marín over 1 year ago
Hi Dan, I believe the reason of seeing different menus in the homepage and the header may be that we're caching the menus with the "ViewCacheManager". I have added a note in the PR about clearing it in the migration but I think you could achieve the same by removing the ".cache" folder in the AtoM directory.
#16 Updated by Mike Cantelon over 1 year ago
- Status changed from Feedback to QA/Review
- Assignee changed from Mike Cantelon to Dan Gillean
Merged into qa/2.5.x for QA.
#17 Updated by Mike Cantelon over 1 year ago
- Status changed from QA/Review to Feedback
- Assignee changed from Dan Gillean to Mike Cantelon
Sorry, just tested and realized I messed up resolving a git conflict so will fix that.
#18 Updated by Mike Cantelon over 1 year ago
- Status changed from Feedback to Code Review
- Assignee changed from Mike Cantelon to José Raddaoui Marín
PR for fix of my fix. Sorry about the mix-up.
#19 Updated by José Raddaoui Marín over 1 year ago
- Status changed from Code Review to Feedback
- Assignee changed from José Raddaoui Marín to Mike Cantelon
#20 Updated by Mike Cantelon over 1 year ago
- Status changed from Feedback to QA/Review
- Assignee changed from Mike Cantelon to Dan Gillean
Merged for QA.
#21 Updated by Dan Gillean about 1 year ago
Note for testing: when reviewing this, please check this use case: https://groups.google.com/d/msg/ica-atom-users/rIjVsQV5qr0/iVD2sJUdAAAJ
From the user:
I have changed both translator user and translator group permissions to Grant. However, the translator can search for Rights holders, but can not access add or detail pages.
Is this a bug?
#22 Updated by Michelle Curran about 1 year ago
- Status changed from QA/Review to Verified
- Assignee changed from Dan Gillean to Nick Wilkinson
Verified the following:
- Only authenticated users in the contributor, editor, and admin groups should be able to see menu items to add content
- Only administrators should be able to browse physical objects
- Only administrators should be able to browse and delete rights holders
- Only administrators should be able to browse the search/descriptionUpdates page
- Only editors and administrators should be able to browse, and view detail pages for, taxonomies
- Only translators, editors, and administrators should be able to edit terms
- Only contributors, editors, and administrators should be able to browse accessions
- Only translators, editors, and administrators should be able to edit accessions
- Only contributors, editors, and administrators should be able to browse donors
- Only translators, editors, and administrators should be able to edit functions
- Only translators, editors, and administrators should be able to edit repositories
- Translator use case per Dan's note (https://groups.google.com/d/msg/ica-atom-users/rIjVsQV5qr0/iVD2sJUdAAAJ)