Bug #4333
Limiting user permissions by repository fails when information object is not associated with a repository
| Status: | Verified | Start date: | ||
|---|---|---|---|---|
| Priority: | Medium | Due date: | ||
| Assignee: | José Raddaoui Marín | % Done: | 100% | |
| Category: | Accessions | Estimated time: | 6.00 hours | |
| Target version: | Release 1.4.0 | |||
| Google Code Legacy ID: | atom-2385 | Tested version: | ||
| Sponsored: | No | Requires documentation: |
Description
To reproduce this error:
Using the admin user created during the installation:
1) Create repository "FB"
2) Create description "Foo" and make it part of the repository FB
3) Create description "Bar", with no repository. It shouldn't be a child of Foo.
4) Create an extra user Peanut, no groups, just "authenticated".
5) Give Peanut all the permissions available for the repository FB
6) Log out
7) Log in as that new user (Peanut)
Resulting error:
Peanut can still edit and delete the "Bar" description
Expected result:
Peanut should be able to edit/delete/add new children to the "Foo" description, but should not be able to alter the "Bar" description.
I have tested to ensure that if the description is associated with a different repository (not "FB") then Peanut should not be able to alter them - this works.
This issue is likely related to the behaviour reported in https://projects.artefactual.com/issues/3659 and https://projects.artefactual.com/issues/3261 - however, those issues report a workaround for managing permissions that does not seem to work in this case. I have attached a screenshot of the permissions granted (rather allowing all and then denying permissions for repository "FB") but the issue remains.
[g] Legacy categories: Access control
History
#1 Updated by Jesús García Crespo almost 10 years ago
- Priority set to Medium
- Target version set to Release 1.3
[g] Labels added: Milestone-Release-1.3, Priority-Medium, Component-AccessControl
[g] New owner: David Juhasz
#2 Updated by Dan Gillean over 9 years ago
- Description updated (diff)
#3 Updated by Dan Gillean over 9 years ago
- Target version changed from Release 1.3 to Release 2.1.0
#4 Updated by Jesús García Crespo over 9 years ago
- Assignee changed from David Juhasz to Jesús García Crespo
- Target version changed from Release 2.1.0 to Release 1.4.0
- Estimated time set to 6.00
- Sponsored set to No
#5 Updated by José Raddaoui Marín almost 9 years ago
- Assignee changed from Jesús García Crespo to José Raddaoui Marín
#6 Updated by José Raddaoui Marín almost 9 years ago
- Status changed from New to QA/Review
- % Done changed from 0 to 100
Applied in changeset atom|commit:cc33b2083e2dc0548d98c7e686f2c0406a8e3579.
#7 Updated by Jesús García Crespo almost 9 years ago
- Category set to Accessions
#8 Updated by Jesús García Crespo almost 9 years ago
- Subject changed from ACL issue - Limiting user permissions by repository fails when information object is not associated with a repository to Limiting user permissions by repository fails when information object is not associated with a repository
#9 Updated by Dan Gillean almost 9 years ago
- Status changed from QA/Review to Verified