Limiting user permissions by repository fails when information object is not associated with a repository
|Assignee:||José Raddaoui Marín||% Done:|
|Category:||Accessions||Estimated time:||6.00 hours|
|Target version:||Release 1.4.0|
|Google Code Legacy ID:||atom-2385||Tested version:|
To reproduce this error:
Using the admin user created during the installation:
1) Create repository "FB"
2) Create description "Foo" and make it part of the repository FB
3) Create description "Bar", with no repository. It shouldn't be a child of Foo.
4) Create an extra user Peanut, no groups, just "authenticated".
5) Give Peanut all the permissions available for the repository FB
6) Log out
7) Log in as that new user (Peanut)
Peanut can still edit and delete the "Bar" description
Peanut should be able to edit/delete/add new children to the "Foo" description, but should not be able to alter the "Bar" description.
I have tested to ensure that if the description is associated with a different repository (not "FB") then Peanut should not be able to alter them - this works.
This issue is likely related to the behaviour reported in https://projects.artefactual.com/issues/3659 and https://projects.artefactual.com/issues/3261 - however, those issues report a workaround for managing permissions that does not seem to work in this case. I have attached a screenshot of the permissions granted (rather allowing all and then denying permissions for repository "FB") but the issue remains.
[g] Legacy categories: Access control
#8 Updated by Jesús García Crespo almost 9 years ago
- Subject changed from ACL issue - Limiting user permissions by repository fails when information object is not associated with a repository to Limiting user permissions by repository fails when information object is not associated with a repository