Bug #11075

Authenticated users can access browse pages and functionality that should be restricted to groups

Added by Dan Gillean over 2 years ago. Updated about 1 year ago.

Status:VerifiedStart date:04/13/2017
Priority:MediumDue date:
Assignee:Nick Wilkinson% Done:

0%

Category:User management
Target version:Release 2.5.0
Google Code Legacy ID: Tested version:2.3
Sponsored:No Requires documentation:Yes

Description

To reproduce
  • Create a new user
  • Do not add to any groups
  • Log out and log back in as that user
  • Explore and take notes

Outcome
Basic testing reveals that an authenticated user who is not added to any groups has the following permissions:

  • Browse Physical storage
  • Browse Rights holders
  • Browse Taxonomies (and the view pages for each taxonomy's terms)
  • The Jobs page (though they can only see jobs they run, not the jobs of others)
  • Generate finding aids
  • Export search results

Authenticate users can see the whole of the Add and Manage menus, though all nodes in the Add menu and Accessions/Donors in Manage lead to permission denied pages.

There may be more. Some of these are benign, but in many cases, these might comprise a security risk if institutions are granting some users accounts to access otherwise restricted materials, etc.

Errors encountered to be considered for fixes / Expected outcome

Access to the following, at minimum, should be denied:

  • Browse Physical storage
  • Browse Rights holders

History

#1 Updated by Dan Gillean over 2 years ago

  • Requires documentation set to Yes

Adding "Requires documentation" so that we remember to add this information to the docs.

Relevant back story on permissions module, and on this ticket being filed:

#2 Updated by Nick Wilkinson almost 2 years ago

  • Assignee set to Mike Cantelon

HI Mike, can you please take a look at this?

#3 Updated by Mike Cantelon almost 2 years ago

Will do!

#4 Updated by Mike Cantelon over 1 year ago

  • Status changed from New to Code Review
  • Assignee changed from Mike Cantelon to Nick Wilkinson

#5 Updated by Nick Wilkinson over 1 year ago

  • Assignee changed from Nick Wilkinson to José Raddaoui Marín

Hi Radda, passing to you for CR.

#6 Updated by José Raddaoui Marín over 1 year ago

  • Status changed from Code Review to Feedback
  • Assignee changed from José Raddaoui Marín to Mike Cantelon

#7 Updated by Mike Cantelon over 1 year ago

  • Assignee changed from Mike Cantelon to José Raddaoui Marín

I've responded to feedback in PR.

#8 Updated by José Raddaoui Marín over 1 year ago

  • Assignee changed from José Raddaoui Marín to Mike Cantelon

#9 Updated by Mike Cantelon over 1 year ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from Mike Cantelon to Dan Gillean

Merged into qa/2.5.x.

Here are some things to check for QA:

  • Only authenticated users in the contributor, editor, and admin groups should be able to see menu items to add content
  • Only administrators should be able to browse physical objects
  • Only administrators should be able to browse and delete rights holders
  • Only administrators should be able to browse the search/descriptionUpdates page
  • Only editors and administrators should be able to browse, and view detail pages for, taxonomies
  • Only translators, editors, and administrators should be able to edit terms
  • Only contributors, editors, and administrators should be able to browse accessions
  • Only translators, editors, and administrators should be able to edit accessions
  • Only contributors, editors, and administrators should be able to browse donors
  • Only translators, editors, and administrators should be able to edit functions
  • Only translators, editors, and administrators should be able to edit repositories

#10 Updated by Dan Gillean over 1 year ago

  • Status changed from QA/Review to Feedback
  • Assignee changed from Dan Gillean to Mike Cantelon

Hi Mike!

This is looking mostly good, but I did find one issue that might not be easy to resolve.

You noted the following in your changes, which I have tested and reproduced:

Only editors and administrators should be able to browse, and view detail pages for, taxonomies

The only problem is, Subjects and Places are both taxonomies that even public users can browse (and Genres). Further, you've hidden the links in the main browse menu in the AtoM bar, but they are still present on the homepage browse menu. I think ideally anyone should be able to browse subjects, places, and genres. However, I understand that it might be difficult to add specific permissions to just these taxonomies without major changes. Thoughts welcome!

#11 Updated by Dan Gillean over 1 year ago

  • Target version set to Release 2.5.0

#12 Updated by Mike Cantelon over 1 year ago

  • Status changed from Feedback to Code Review
  • Assignee changed from Mike Cantelon to Nick Wilkinson

#13 Updated by Nick Wilkinson over 1 year ago

  • Assignee changed from Nick Wilkinson to José Raddaoui Marín

Hi Radda, can you please CR this?

#14 Updated by José Raddaoui Marín over 1 year ago

  • Status changed from Code Review to Feedback
  • Assignee changed from José Raddaoui Marín to Mike Cantelon

#15 Updated by José Raddaoui Marín over 1 year ago

Hi Dan, I believe the reason of seeing different menus in the homepage and the header may be that we're caching the menus with the "ViewCacheManager". I have added a note in the PR about clearing it in the migration but I think you could achieve the same by removing the ".cache" folder in the AtoM directory.

#16 Updated by Mike Cantelon over 1 year ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from Mike Cantelon to Dan Gillean

Merged into qa/2.5.x for QA.

#17 Updated by Mike Cantelon over 1 year ago

  • Status changed from QA/Review to Feedback
  • Assignee changed from Dan Gillean to Mike Cantelon

Sorry, just tested and realized I messed up resolving a git conflict so will fix that.

#18 Updated by Mike Cantelon over 1 year ago

  • Status changed from Feedback to Code Review
  • Assignee changed from Mike Cantelon to José Raddaoui Marín

PR for fix of my fix. Sorry about the mix-up.

#19 Updated by José Raddaoui Marín over 1 year ago

  • Status changed from Code Review to Feedback
  • Assignee changed from José Raddaoui Marín to Mike Cantelon

#20 Updated by Mike Cantelon over 1 year ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from Mike Cantelon to Dan Gillean

Merged for QA.

#21 Updated by Dan Gillean about 1 year ago

Note for testing: when reviewing this, please check this use case: https://groups.google.com/d/msg/ica-atom-users/rIjVsQV5qr0/iVD2sJUdAAAJ

From the user:

I have changed both translator user and translator group permissions to Grant. However, the translator can search for Rights holders, but can not access add or detail pages.
Is this a bug?

#22 Updated by Michelle Curran about 1 year ago

  • Status changed from QA/Review to Verified
  • Assignee changed from Dan Gillean to Nick Wilkinson

Verified the following:

  • Only authenticated users in the contributor, editor, and admin groups should be able to see menu items to add content
  • Only administrators should be able to browse physical objects
  • Only administrators should be able to browse and delete rights holders
  • Only administrators should be able to browse the search/descriptionUpdates page
  • Only editors and administrators should be able to browse, and view detail pages for, taxonomies
  • Only translators, editors, and administrators should be able to edit terms
  • Only contributors, editors, and administrators should be able to browse accessions
  • Only translators, editors, and administrators should be able to edit accessions
  • Only contributors, editors, and administrators should be able to browse donors
  • Only translators, editors, and administrators should be able to edit functions
  • Only translators, editors, and administrators should be able to edit repositories

Also available in: Atom PDF