Task #10209 (closed)
Bug: prevent removal of root's user/system group links
Reported by: | jamoore | Owned by: | mtbcarroll |
---|---|---|---|
Priority: | critical | Milestone: | 5.0.0-rc1 |
Component: | ORM | Version: | 4.4.8 |
Keywords: | n.a. | Cc: | java@…, wmoore |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | OMERO 5 Beta 2 (1) |
Description (last modified by jamoore)
see: https://www.openmicroscopy.org/qa2/qa/feedback/4847
A trigger statement could be added to prevent the deletion (or possibly even modification) of that row:
BEGIN; DROP TRIGGER IF EXISTS prevent_root_deactivate ON groupexperimentermap; CREATE OR REPLACE FUNCTION prevent_root_deactivate() RETURNS trigger LANGUAGE plpgsql AS $$ BEGIN IF OLD.CHILD = 0 THEN -- IF ROOT IF OLD.PARENT = 0 THEN RAISE EXCEPTION 'cannot remove system group membership for root'; ELSIF OLD.PARENT = 1 THEN RAISE EXCEPTION 'cannot remove user group membership for root'; END IF; END IF; RETURN OLD; END; $$; CREATE TRIGGER prevent_root_deactivate BEFORE DELETE ON groupexperimentermap FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate(); COMMIT;
45d=# delete from groupexperimentermap where id = 0; ERROR: cannot remove system group membership for root 45d=#
Also: a bin/omero db method could be provided to print out a replacement in case something does happen:
insert into groupexperimentermap (id, permissions, owner, child, child_index, parent) values (0, -52, true, 0, 0, 0);
Another alternative would be to make the root user "synthetic", i.e. not in the database at all except for the password entry in the "password" table.
Changing of root's name should also be disallowed. See https://www.openmicroscopy.org/community/viewtopic.php?f=4&t=6360&p=11983&hilit=intermittent#p11983
Attachments (2)
Change History (21)
comment:1 Changed 11 years ago by jamoore
- Cc java@… added; jburel removed
- Version set to 4.4.8
comment:2 Changed 11 years ago by atarkowska
- Owner set to pwalczysko
comment:3 Changed 11 years ago by wmoore
Petr - to assess the priority of this ticket we need to check whether it's possible in Web or Insight for an Admin to remove their own Admin status (so that they can no-longer login as Admin). Also check if it's possible for a regular user or Admin to 'disable' themselves, so they can't log in at-all.
comment:4 Changed 11 years ago by pwalczysko
Bug (Insight(:
- Login on develop as user-6 (admin)
try to modify the Administrator settings of yourself:
- tick out the admin box in the right-hand panel
- press save
- click on the user-6 in the tree again
- the box "Acmin" in the right-hand pane is ticked again
- tick the box out again
- press Save again
- error appears
java.lang.Exception: org.openmicroscopy.shoola.env.data.DSAccessException: Cannot access data. Cannot modify the roles of the experimenters. at org.openmicroscopy.shoola.env.data.OMEROGateway.handleException(OMEROGateway.java:937) at org.openmicroscopy.shoola.env.data.OMEROGateway.modifyExperimentersRoles(OMEROGateway.java:4190) at org.openmicroscopy.shoola.env.data.AdminServiceImpl.updateExperimenters(AdminServiceImpl.java:561) at org.openmicroscopy.shoola.env.data.views.calls.AdminLoader$8.doCall(AdminLoader.java:251) at org.openmicroscopy.shoola.env.data.views.BatchCall.doStep(BatchCall.java:144) at org.openmicroscopy.shoola.util.concur.tasks.CompositeTask.doStep(CompositeTask.java:226) at org.openmicroscopy.shoola.env.data.views.CompositeBatchCall.doStep(CompositeBatchCall.java:126) at org.openmicroscopy.shoola.util.concur.tasks.ExecCommand.exec(ExecCommand.java:165) at org.openmicroscopy.shoola.util.concur.tasks.ExecCommand.run(ExecCommand.java:276) at org.openmicroscopy.shoola.util.concur.tasks.AsyncProcessor$Runner.run(AsyncProcessor.java:91) at java.lang.Thread.run(Thread.java:680) Caused by: omero.SecurityViolation serverStackTrace = "ome.conditions.SecurityViolation: Current user is neither admin nor group-leader for the given user(s)/group(s) at ome.logic.AdminImpl.throwNonAdminOrPi(AdminImpl.java:1340) at ome.logic.AdminImpl.adminOrPiOfGroups(AdminImpl.java:1362) at ome.logic.AdminImpl.removeGroups(AdminImpl.java:674) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.EventHandler.invoke(EventHandler.java:154) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:241) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy78.removeGroups(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy78.removeGroups(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179) at ome.services.throttling.Callback.run(Callback.java:56) at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56) at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:149) at ome.services.blitz.impl.AdminI.removeGroups_async(AdminI.java:299) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at omero.cmd.CallContext.invoke(CallContext.java:59) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy79.removeGroups_async(Unknown Source) at omero.api._IAdminTie.removeGroups_async(_IAdminTie.java:309) at omero.api._IAdminDisp.___removeGroups(_IAdminDisp.java:975) at omero.api._IAdminDisp.__dispatch(_IAdminDisp.java:1637) at IceInternal.Incoming.invoke(Incoming.java:159) at Ice.ConnectionI.invokeAll(ConnectionI.java:2037) at Ice.ConnectionI.message(ConnectionI.java:972) at IceInternal.ThreadPool.run(ThreadPool.java:577) at IceInternal.ThreadPool.access$100(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971) " serverExceptionClass = "ome.conditions.SecurityViolation" message = "Current user is neither admin nor group-leader for the given user(s)/group(s)" at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:357) at java.lang.Class.newInstance(Class.java:310) at IceInternal.BasicStream$DynamicUserExceptionFactory.createAndThrow(BasicStream.java:2243) at IceInternal.BasicStream.throwException(BasicStream.java:1632) at IceInternal.Outgoing.throwUserException(Outgoing.java:442) at omero.api._IAdminDelM.removeGroups(_IAdminDelM.java:1827) at omero.api.IAdminPrxHelper.removeGroups(IAdminPrxHelper.java:2453) at omero.api.IAdminPrxHelper.removeGroups(IAdminPrxHelper.java:2425) at org.openmicroscopy.shoola.env.data.OMEROGateway.modifyExperimentersRoles(OMEROGateway.java:4186) ... 9 more at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.showErrorDialog(UserNotifierImpl.java:189) at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.notifyError(UserNotifierImpl.java:287) at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.notifyError(UserNotifierImpl.java:257) at org.openmicroscopy.shoola.agents.metadata.MetadataLoader.handleException(MetadataLoader.java:112) at org.openmicroscopy.shoola.agents.metadata.MetadataLoader.handleException(MetadataLoader.java:183) at org.openmicroscopy.shoola.env.data.events.DSCallAdapter.eventFired(DSCallAdapter.java:84) at org.openmicroscopy.shoola.env.data.views.BatchCallMonitor$1.run(BatchCallMonitor.java:124) at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:708) at java.awt.EventQueue.access$400(EventQueue.java:82) at java.awt.EventQueue$2.run(EventQueue.java:669) at java.awt.EventQueue$2.run(EventQueue.java:667) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87) at java.awt.EventQueue.dispatchEvent(EventQueue.java:678) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:296) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:211) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:201) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:196) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:188) at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
comment:5 Changed 11 years ago by pwalczysko
After the abovementioned bug, went to group system, clicking onto the group to expand, got another error (note that I manipulated only with user-6, not user-8)
java.lang.Exception: org.openmicroscopy.shoola.env.data.DSAccessException: Cannot access data. Cannot load hierarchy for class pojos.ProjectData. at org.openmicroscopy.shoola.env.data.OMEROGateway.handleException(OMEROGateway.java:937) at org.openmicroscopy.shoola.env.data.OMEROGateway.loadContainerHierarchy(OMEROGateway.java:2282) at org.openmicroscopy.shoola.env.data.OmeroDataServiceImpl.loadContainerHierarchy(OmeroDataServiceImpl.java:225) at org.openmicroscopy.shoola.env.data.views.calls.DMLoader$1.doCall(DMLoader.java:90) at org.openmicroscopy.shoola.env.data.views.BatchCall.doStep(BatchCall.java:144) at org.openmicroscopy.shoola.util.concur.tasks.CompositeTask.doStep(CompositeTask.java:226) at org.openmicroscopy.shoola.env.data.views.CompositeBatchCall.doStep(CompositeBatchCall.java:126) at org.openmicroscopy.shoola.util.concur.tasks.ExecCommand.exec(ExecCommand.java:165) at org.openmicroscopy.shoola.util.concur.tasks.ExecCommand.run(ExecCommand.java:276) at org.openmicroscopy.shoola.util.concur.tasks.AsyncProcessor$Runner.run(AsyncProcessor.java:91) at java.lang.Thread.run(Thread.java:680) Caused by: omero.SecurityViolation serverStackTrace = "ome.conditions.SecurityViolation: User 8 is not a member of group 0 and cannot login at ome.security.basic.BasicSecuritySystem.loadEventContext(BasicSecuritySystem.java:380) at ome.security.basic.EventHandler.doLogin(EventHandler.java:210) at ome.security.basic.EventHandler.invoke(EventHandler.java:146) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:241) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy92.loadContainerHierarchy(Unknown Source) at sun.reflect.GeneratedMethodAccessor1768.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy92.loadContainerHierarchy(Unknown Source) at sun.reflect.GeneratedMethodAccessor1799.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179) at ome.services.throttling.Callback.run(Callback.java:56) at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56) at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:149) at ome.services.blitz.impl.ContainerI.loadContainerHierarchy_async(ContainerI.java:179) at sun.reflect.GeneratedMethodAccessor1798.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at omero.cmd.CallContext.invoke(CallContext.java:59) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy93.loadContainerHierarchy_async(Unknown Source) at omero.api._IContainerTie.loadContainerHierarchy_async(_IContainerTie.java:134) at omero.api._IContainerDisp.___loadContainerHierarchy(_IContainerDisp.java:196) at omero.api._IContainerDisp.__dispatch(_IContainerDisp.java:641) at IceInternal.Incoming.invoke(Incoming.java:159) at Ice.ConnectionI.invokeAll(ConnectionI.java:2037) at Ice.ConnectionI.message(ConnectionI.java:972) at IceInternal.ThreadPool.run(ThreadPool.java:577) at IceInternal.ThreadPool.access$100(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971) " serverExceptionClass = "ome.conditions.SecurityViolation" message = "User 8 is not a member of group 0 and cannot login" at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:357) at java.lang.Class.newInstance(Class.java:310) at IceInternal.BasicStream$DynamicUserExceptionFactory.createAndThrow(BasicStream.java:2243) at IceInternal.BasicStream.throwException(BasicStream.java:1632) at IceInternal.Outgoing.throwUserException(Outgoing.java:442) at omero.api._IContainerDelM.loadContainerHierarchy(_IContainerDelM.java:592) at omero.api.IContainerPrxHelper.loadContainerHierarchy(IContainerPrxHelper.java:738) at omero.api.IContainerPrxHelper.loadContainerHierarchy(IContainerPrxHelper.java:710) at org.openmicroscopy.shoola.env.data.OMEROGateway.loadContainerHierarchy(OMEROGateway.java:2278) ... 9 more at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.showErrorDialog(UserNotifierImpl.java:189) at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.notifyError(UserNotifierImpl.java:287) at org.openmicroscopy.shoola.env.ui.UserNotifierImpl.notifyError(UserNotifierImpl.java:257) at org.openmicroscopy.shoola.agents.treeviewer.DataBrowserLoader.handleException(DataBrowserLoader.java:148) at org.openmicroscopy.shoola.env.data.events.DSCallAdapter.eventFired(DSCallAdapter.java:84) at org.openmicroscopy.shoola.env.data.views.BatchCallMonitor$1.run(BatchCallMonitor.java:124) at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:708) at java.awt.EventQueue.access$400(EventQueue.java:82) at java.awt.EventQueue$2.run(EventQueue.java:669) at java.awt.EventQueue$2.run(EventQueue.java:667) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87) at java.awt.EventQueue.dispatchEvent(EventQueue.java:678) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:296) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:211) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:201) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:196) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:188) at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
comment:6 Changed 11 years ago by pwalczysko
In Insight (develop branch) managed to knock "root" completely out of play:
- login as root
- in right-hand pane tick out the box admin
- press save button
- select "root" in the tree again
- repeat the above sequence starting with ticking out the box again
- error appears as reported above ("Cannot modify the roles of experimenters")
- log out using "Switch user"
- try to login as root again - not possible, wrong user/password is indicated, although I am putting in the right one and I did not change the pwd at all - see screenshot
Changed 11 years ago by pwalczysko
comment:7 Changed 11 years ago by pwalczysko
Server restart did not help - root is definitely out of play, cannot login in Insight, as for Web, cannot login as anybody (caused by the workflow in the comment above).
comment:8 Changed 11 years ago by pwalczysko
Deleted the comment about Web - the behaviour is actually OK - sorry.
Changed 11 years ago by pwalczysko
comment:9 Changed 11 years ago by wmoore
- Owner changed from pwalczysko to jamoore
Since the clients don't prevent you from getting into trouble, it is a high priority for 4.4.9 to prevent this from the server side.
comment:10 Changed 11 years ago by jamoore
- Description modified (diff)
comment:11 Changed 11 years ago by jamoore
- Milestone changed from OMERO-4.4.9 to OMERO-5
Pushing this out of 4.4.9 since it requires a DB change in favor of #11465. If another patch release in the 4.4 line requires a DB change, we could easily add these restrictions at the appropriate level.
comment:12 Changed 11 years ago by jburel
- Milestone changed from OMERO-5 to 5.0.0-beta2
Moving to Beta2. Add control in clients Listed in https://docs.google.com/document/d/1s58QoESMLP88vC1kgqe3C9cPza-d66Zmqei0_1Lh8zo/edit
comment:13 Changed 10 years ago by mtbcarroll
I'm happy to look at the DB trigger side of this if you like.
comment:14 Changed 10 years ago by jamoore
- Owner changed from jamoore to mtbcarroll
- Sprint set to OMERO 5 Beta 2 (1)
Happy to pass off, mtbc. And it's certainly good to have as many of the DB changes done and dusted now.
comment:15 Changed 10 years ago by mtbcarroll
I'll add triggers to correspond with the ValidationExceptions of https://github.com/openmicroscopy/openmicroscopy/pull/1595/ -- perhaps its integration tests will have to be adjusted to fit the different constraint violation exception.
comment:16 Changed 10 years ago by mtbcarroll
- Status changed from new to accepted
comment:17 Changed 10 years ago by mtbcarroll
- Resolution set to fixed
- Status changed from accepted to closed
comment:18 Changed 10 years ago by Mark Carroll <m.t.b.carroll@…>
- Remaining Time set to 0
(In [396fce297d1dc765c8253ff05214d2e85892725b/ome.git] on branch develop) fix #10209: add PL/pgSQL triggers mirroring some of PR #1595
comment:19 Changed 10 years ago by Josh Moore <josh@…>
(In [9b3ab0dd0a8a1715c3ef91de3efacfda2bf02739/ome.git] on branch develop) Merge pull request #1723 from mtbc/trac-11465-user-group-change-restrictions
fix #10209: restrict one's changes to user, group
This is one of at least three tickets that I had on my 4.4.9 radar that would require a DB change. The others are:
If we want to avoid any DB changes, then I would say, let's push this and deal with that issue later. Otherwise, we can likely tackle this and certainly the ns bit, though #11182 is harder.