Bug #13205

Adding multiple ACL group taxonomy rules - only last one added applies

Added by Steve Breker 4 months ago. Updated 4 months ago.

Status:NewStart date:10/24/2019
Priority:MediumDue date:
Assignee:-% Done:

0%

Category:Access Control
Target version:Release 2.6.0
Google Code Legacy ID: Tested version:2.5, 2.6
Sponsored:No Requires documentation:

Description

When multiple ACL group taxonomy rules with 'grant’ permissions are created (e.g. for subjects and places), only the taxonomy for which the ACL rule was created last (most recently) will allow the creation of new terms when editing a description.

Steps to replicate:

- create two taxonomy rules applying to a new group (custom group) granting all permissions. (see attached screenshot A)
- log into AtoM as a user in the new group
- edit a description
- try to add a new term in both of the taxonomy fields for which ACL rules were added (e.g. place and subject). (see attached screenshot B)
- only the taxonomy that was added last will accept new terms being added even though permissions have been granted for both taxonomies.

Screen Shot B.png (58.4 KB) Steve Breker, 10/24/2019 08:21 PM

Screen Shot A.png (131 KB) Steve Breker, 10/24/2019 08:21 PM

Screen Shot C.png (1.03 MB) Steve Breker, 10/24/2019 08:22 PM


Related issues

Related to Access to Memory (AtoM) - Bug #13202: Regression: Custom groups with Create and Publish permiss... Verified 10/11/2019
Related to Access to Memory (AtoM) - Bug #11075: Authenticated users can access browse pages and functiona... Verified 04/13/2017
Related to Access to Memory (AtoM) - Bug #7695: Setting custom taxonomy delete permissions overrides all ... New 12/11/2014

History

#1 Updated by Steve Breker 4 months ago

Desired outcome:

Multiple group taxonomy rules should be able to be added.
When multiple rules have been created, the ACL permissions should apply correctly per taxonomy.

Additional info:

Screen shot C shows the permissions DB table with the 6 taxonomy rows.

In the WebUI, the subject and place taxonomy protect the 'add' functionality with ACL checks here:
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/sfIsadPlugin/modules/sfIsadPlugin/templates/editSuccess.php#L209

In contrast, the genre taxonomy 'add' function when editing a description checks the ACL for the linked actor:
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/sfIsadPlugin/modules/sfIsadPlugin/templates/editSuccess.php#L231

In the ACL plugin, new conditional ACL check objects are created here:
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/qbAclPlugin/lib/QubitAcl.class.php#L435

In the conditional ACL check object, the permission is evaluated here:
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/qbAclPlugin/lib/QubitAclConditionalAssert.class.php#L72

In the permissions object itself, the constant is always set to the last entered taxonomy permission role (See screenshot C - shows the most recently entered permission record at the bottom.
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/qbAclPlugin/lib/model/QubitAclPermission.php#L149

Debug statements from QubitAclPermission showing the conditional when it does not match:
Oct 24 15:20:15 symfony [err] 1: %p[taxonomy] 'places', taxonomy, places
Oct 24 15:20:15 symfony [err] key: taxonomy subjects %p[taxonomy] 'places'
Oct 24 15:20:15 symfony [err] conditional: 'subjects' 'places'

Since in the permission object, the conditional is always equal to the last permission row, the conditional statement does not match and access is not allowed: conditional: 'subjects' 'places'
https://github.com/artefactual/atom/blob/qa/2.6.x/plugins/qbAclPlugin/lib/model/QubitAclPermission.php#L194

#2 Updated by Dan Gillean 4 months ago

  • Description updated (diff)

#3 Updated by Dan Gillean 4 months ago

  • Related to Bug #13202: Regression: Custom groups with Create and Publish permissions cannot access the Add menu or publish descriptions added

#4 Updated by Dan Gillean 4 months ago

  • Related to Bug #11075: Authenticated users can access browse pages and functionality that should be restricted to groups added

#5 Updated by Dan Gillean 3 months ago

  • Related to Bug #7695: Setting custom taxonomy delete permissions overrides all taxonomy delete permissions added

Also available in: Atom PDF