Bug #3659

User with update permissions for only one repository can update other repositories' records

Added by Evelyn McLellan over 11 years ago. Updated almost 6 years ago.

Status:NewStart date:
Priority:LowDue date:
Assignee:-% Done:

0%

Category:Access Control
Target version:-
Google Code Legacy ID:atom-1710 Tested version:
Sponsored:No Requires documentation:

Description

To reproduce this error: ========================
1)Create a user and modify permissions similar to the attached screenshot
2)Log in as the user
3)Navigate to an information object belonging to a repository that is not the repository for which the user has update permission

Resulting error: ================
User can update information objects belonging to repositories other than the one s/he has permission for

Expected result: ================
User should be able to update information objects belonging only to the specified repository

[g] Legacy categories: Access control

acl.png (267 KB) Evelyn McLellan, 12/01/2012 03:40 AM

acl2.png (28.3 KB) David Juhasz, 12/01/2012 03:40 AM


Related issues

Related to Access to Memory (AtoM) - Bug #5783: Group deny permissions for viewing descriptions and refer... New 10/11/2013
Duplicated by Access to Memory (AtoM) - Bug #3261: Can't assign multiple access rules per role Duplicate
Duplicated by Access to Memory (AtoM) - Bug #4351: User with restricted permissions to a repository can view... Duplicate

History

#1 Updated by Evelyn McLellan over 11 years ago

  • Subject set to User with view draft/update permissions for only one repository can view drafts of and update other repositories' records
  • Priority changed from High to Critical

Also, user with view draft permissions for one repository only can view drafts of descriptions belonging to other repositories. Am changing title to reflect this and upgrading the issue to critical.

[g] Labels added: Priority-Critical
[g] Labels removed: Priority-High

#2 Updated by David Juhasz over 11 years ago

  • Subject set to User with update permissions for only one repository can update other repositories' records
  • Priority changed from Critical to High
  • Target version changed from Release 1.1 to Release 1.2
  • File acl2.png added

This is two separate issues. I've created /p/qubit-toolkit/issues/detail?id=1821 to address the "view drafts" problem.

I'm bumping this issue (Related to editing descriptions in other repositories) because you can avoid the problem by using the permissions shown in the attached screenshot "acl2.png", and solving for the original ACL case is complex.

[g] Labels added: Priority-High, Milestone-Release-1.2
[g] Labels removed: Priority-Critical, Milestone-Release-1.1

#3 Updated by Tim Hutchinson about 11 years ago

See also /p/qubit-toolkit/issues/detail?id=1311. Since I didn't initially clue into the details of the screenshot above, I will just add that the key is to add permissions to the authenticated group, rather than assigning the user to an editor/contributor group and then denying roles for all information objects and adding back roles for a single institution (as documented in the user manual).

#4 Updated by David Juhasz almost 11 years ago

  • Priority changed from High to Medium

[g] Labels added: Priority-Medium
[g] Labels removed: Priority-High

#5 Updated by David Juhasz almost 11 years ago

  • Priority set to Low

[g] Labels added: Priority-Low

#6 Updated by Anonymous over 10 years ago

  • Priority changed from Low to High

The user manual has been changed to reflect the new "workaround" for restricting a user permissions to a single repository; however, the question has been raised as to how this will impact Memory BC migration.

[g] Labels added: Priority-High
[g] Labels removed: Priority-Low

#7 Updated by David Juhasz over 10 years ago

  • Target version set to Release 1.3

Roll over to Release 1.3

[g] Labels added: Milestone-Release-1.3

#8 Updated by David Juhasz almost 10 years ago

Reassign to new account.

[g] New owner: David Juhasz

#11 Updated by Jessica Bushey over 9 years ago

  • Target version changed from Release 1.3 to Release 2.1.0

[g] Labels added: Milestone-Release-2.0
[g] Labels removed: Milestone-Release-1.3

#12 Updated by David Juhasz over 9 years ago

  • Priority changed from High to Low
  • Target version deleted (Release 2.1.0)
  • Sponsored set to No

We have a workaround for this issue, so I'm downgrading to "Low" priority.

#13 Updated by David Juhasz over 8 years ago

  • Category set to Access Control

#14 Updated by David Juhasz almost 6 years ago

  • Assignee deleted (David Juhasz)

Also available in: Atom PDF