Bug #4280

Authenticated user not assigned to a group can add, edit, and delete repositories

Added by Dan Gillean about 10 years ago. Updated almost 9 years ago.

Status:VerifiedStart date:
Priority:HighDue date:
Assignee:José Raddaoui Marín% Done:

100%

Category:Access ControlEstimated time:24.00 hours
Target version:Release 1.4.0
Google Code Legacy ID:atom-2332 Tested version:
Sponsored:No Requires documentation:

Description

To reproduce this error:
1)Log in as an administrator and create a new user
2)Do not assign the new user to any groups; log out
3)Log in as the new (now authenticated) user
4)Navigate to repositories and select a repository

Resulting error:
Authenticated user with no permissions will have the Edit, Delete, and Add New buttons available, and can successfully act on these options (e.g., delete a repository)

Expected result:
An authenticated user with no permissions should not be able to add, edit, or delete repositories.

System should require all authenticated users to be assigned to a group.

Notes:
This same error is true of other users who belong to groups which should not require this function: e.g. a translator.

When viewing the page without authentication (ie, without logging in as a user), repositories can be viewed but not altered or deleted --> this is the expected behavior for the authenticated user as well.

[g] Legacy categories: Access control, Repository, User management

History

#1 Updated by Anonymous about 10 years ago

  • Status changed from New to New
  • Priority set to High
  • Target version set to Release 1.3

[g] Labels added: Priority-High, Milestone-Release-1.3, Component-AccessControl, Component-Archival-Institutions, Component-User-Mgmt
[g] New owner: Dan Gillean

#2 Updated by Jessica Bushey over 9 years ago

  • Target version changed from Release 1.3 to Release 2.1.0

[g] Labels added: Milestone-Release-2.0
[g] Labels removed: Milestone-Release-1.3

#3 Updated by Jesús García Crespo over 9 years ago

  • Assignee changed from Dan Gillean to Jesús García Crespo
  • Sponsored set to No

Dan is the reporter.

#4 Updated by David Juhasz over 9 years ago

  • Category set to Access Control
  • Target version changed from Release 2.1.0 to Release 1.4.0

#5 Updated by David Juhasz about 9 years ago

  • Estimated time set to 8.00

#6 Updated by José Raddaoui Marín about 9 years ago

  • Assignee changed from Jesús García Crespo to José Raddaoui Marín

#7 Updated by Jesús García Crespo about 9 years ago

  • Assignee changed from José Raddaoui Marín to Jesús García Crespo

#8 Updated by José Raddaoui Marín almost 9 years ago

  • Status changed from New to In progress
  • Assignee changed from Jesús García Crespo to José Raddaoui Marín

#9 Updated by Jesús García Crespo almost 9 years ago

  • Estimated time changed from 8.00 to 24.00

#10 Updated by José Raddaoui Marín almost 9 years ago

  • Status changed from In progress to QA/Review
  • % Done changed from 0 to 100

Applied in changeset atom|commit:759f386868d632ead262740340486b772e2b383b.

#11 Updated by José Raddaoui Marín almost 9 years ago

Hi, a few notes:

In order to make this possible I've added permissions for the repositories

- First of all, you must upgrade the database: php symfony tools:upgrade-sql

This will create a root repository and add it as a father of the existing repositories. This root repository shouldn't appear in any kind of repository list and shouldn't be accesible via URL.

- Going to Admin -> groups or users -> any user or group. You should see a new tab to manage permissions for archival institutions. This functionality works exactly as the authority record permissions. Permissions for an individual repository or for all the repositories may be assigned for the selected group/user.

- Then check if the new permissions are working as expected, also via URL.

Thanks!

#12 Updated by Jesús García Crespo almost 9 years ago

A note for testers: you don't have to run tools:upgrade-sql if you reinstall AtoM.

#13 Updated by José Raddaoui Marín almost 9 years ago

  • Status changed from QA/Review to In progress

#14 Updated by Dan Gillean almost 9 years ago

  • Description updated (diff)

#15 Updated by José Raddaoui Marín almost 9 years ago

  • Status changed from In progress to QA/Review

#16 Updated by Jessica Bushey almost 9 years ago

  • Status changed from QA/Review to Verified

You can control authenticated user's access to institutions through the permissions.

Also available in: Atom PDF