Bug #4333

Limiting user permissions by repository fails when information object is not associated with a repository

Added by Dan Gillean almost 10 years ago. Updated almost 9 years ago.

Status:VerifiedStart date:
Priority:MediumDue date:
Assignee:José Raddaoui Marín% Done:

100%

Category:AccessionsEstimated time:6.00 hours
Target version:Release 1.4.0
Google Code Legacy ID:atom-2385 Tested version:
Sponsored:No Requires documentation:

Description

To reproduce this error:

Using the admin user created during the installation:

1) Create repository "FB"
2) Create description "Foo" and make it part of the repository FB
3) Create description "Bar", with no repository. It shouldn't be a child of Foo.
4) Create an extra user Peanut, no groups, just "authenticated".
5) Give Peanut all the permissions available for the repository FB
6) Log out
7) Log in as that new user (Peanut)

Resulting error:

Peanut can still edit and delete the "Bar" description

Expected result:

Peanut should be able to edit/delete/add new children to the "Foo" description, but should not be able to alter the "Bar" description.

I have tested to ensure that if the description is associated with a different repository (not "FB") then Peanut should not be able to alter them - this works.

This issue is likely related to the behaviour reported in https://projects.artefactual.com/issues/3659 and https://projects.artefactual.com/issues/3261 - however, those issues report a workaround for managing permissions that does not seem to work in this case. I have attached a screenshot of the permissions granted (rather allowing all and then denying permissions for repository "FB") but the issue remains.

[g] Legacy categories: Access control

workaround-not-working.JPG (43.1 KB) Dan Gillean, 12/01/2012 05:35 AM

History

#1 Updated by Jesús García Crespo almost 10 years ago

  • Priority set to Medium
  • Target version set to Release 1.3

[g] Labels added: Milestone-Release-1.3, Priority-Medium, Component-AccessControl
[g] New owner: David Juhasz

#2 Updated by Dan Gillean over 9 years ago

  • Description updated (diff)

#3 Updated by Dan Gillean over 9 years ago

  • Target version changed from Release 1.3 to Release 2.1.0

#4 Updated by Jesús García Crespo over 9 years ago

  • Assignee changed from David Juhasz to Jesús García Crespo
  • Target version changed from Release 2.1.0 to Release 1.4.0
  • Estimated time set to 6.00
  • Sponsored set to No

#5 Updated by José Raddaoui Marín almost 9 years ago

  • Assignee changed from Jesús García Crespo to José Raddaoui Marín

#6 Updated by José Raddaoui Marín almost 9 years ago

  • Status changed from New to QA/Review
  • % Done changed from 0 to 100

Applied in changeset atom|commit:cc33b2083e2dc0548d98c7e686f2c0406a8e3579.

#7 Updated by Jesús García Crespo almost 9 years ago

  • Category set to Accessions

#8 Updated by Jesús García Crespo almost 9 years ago

  • Subject changed from ACL issue - Limiting user permissions by repository fails when information object is not associated with a repository to Limiting user permissions by repository fails when information object is not associated with a repository

#9 Updated by Dan Gillean almost 9 years ago

  • Status changed from QA/Review to Verified

Also available in: Atom PDF