Bug #4351
User with restricted permissions to a repository can view and edit information objects belonging to other repositories
| Status: | Duplicate | Start date: | ||
|---|---|---|---|---|
| Priority: | Critical | Due date: | ||
| Assignee: | David Juhasz | % Done: | 0% | |
| Category: | - | |||
| Target version: | Release 1.3 | |||
| Google Code Legacy ID: | atom-2403 | Tested version: | ||
| Sponsored: | Requires documentation: |
Description
To reproduce this error:
========================
1)create user and assign to group (you must have multiple information objects and multiple repositories in the system)
2)open information object permissions and deny group permissions to user
3)add repository and allow information object permissions only for that repository
4)save and logout
5)log in as user
Resulting error:
================
user can view and edit all information objects regardless of their repository affiliation
Expected result:
user can only view and edit information objects affiliated with their repository
================
[g] Legacy categories: User management
Related issues
History
#1 Updated by Jesús García Crespo almost 8 years ago
- Target version set to Release 1.3
Jessica is the reporter, assign to Jesús.
[g] Labels added: Milestone-Release-1.3
[g] New owner: Jesús García Crespo
#2 Updated by Jesús García Crespo almost 8 years ago
- Status changed from New to QA/Review
Jessica, can you try to be more explicit describing the steps that I have to follow? What group have you assigned to the user? I don't understand the 2) step neither, information object permissions page for the user or the group? Thanks.
#3 Updated by Jessica Bushey almost 8 years ago
- Status changed from QA/Review to Feedback
1) Create user and assign to group (e.g., contributor group)
2) Click Create
3) View user profile and select Information object permissions
4) Click Edit
5) View Edit Information object permissions - inherit is selected, but change this to deny
6) Click on hyperlink "Permissions by Repository" and grant permissions to User but limit to one repository (e.g., Sudbury Archives)
7) Click Save
8) Log out
9) Log in as User
Resulting error:
User can see all information objects in all repositories. I also tested this by creating a User and NOT assigning to them a group, but restricting them to a repository. There were also able to view all information objects in all repositories.
Expected results:
User can only see information objects for their repository.
#4 Updated by David Juhasz almost 8 years ago
[g] New owner: David Juhasz
#5 Updated by Jessica Bushey almost 8 years ago
- Status changed from Feedback to Duplicate