Task #10657 (closed)
Bug: Permissions null! Security system failure
| Reported by: | wmoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | critical | Milestone: | 5.0.0-beta1 |
| Component: | Security | Version: | n.a. |
| Keywords: | n.a. | Cc: | fs@… |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | FS Demo 3 |
Description
In FS web, when we try to download an original file (sometimes a problem for scripts too) we see an exception "Permissions null! Security system failure". See https://github.com/ome/scripts/pull/23 and https://github.com/openmicroscopy/openmicroscopy/pull/969
File "/Users/will/Desktop/OMERO/dist/lib/python/omero_api_RawFileStore_ice.py", line 101, in setFileId
return _M_omero.api.RawFileStore._op_setFileId.invoke(self, ((fileId, ), _ctx))
InternalException: exception ::omero::InternalException
{
serverStackTrace = ome.conditions.InternalException: Permissions null! Security system failure -- refusing to continue. The Permissions should be set to a default value.
at ome.security.basic.BasicACLVoter.allowUpdateOrDelete(BasicACLVoter.java:338)
at ome.security.basic.BasicACLVoter.allowUpdate(BasicACLVoter.java:215)
Change History (8)
comment:1 Changed 6 years ago by jamoore
- Remaining Time set to 0.5
- Sprint set to FS Demo 3
comment:2 Changed 6 years ago by jamoore
comment:3 Changed 6 years ago by jamoore
This corrects:
diff --git a/10657.py b/10657.py
index 0458fb7..ff005e3 100755
--- a/10657.py
+++ b/10657.py
@@ -53,7 +53,14 @@ try:
faA = gA.createFileAnnfromLocalFile("bin/omero")
faB = gB.getObject("FileAnnotation", faA.id)
print "".join([x for x in faA.getFileInChunks()][0:1])[0:21]
- print "".join([x for x in faB.getFileInChunks()][0:1])[0:21]
+
+ try:
+ old = gB.SERVICE_OPTS.getOmeroGroup()
+ gB.SERVICE_OPTS.setOmeroGroup(str(faB.details.getGroup().id.val))
+ print "".join([x for x in faB.getFileInChunks()][0:1])[0:21]
+ finally:
+ gB.SERVICE_OPTS.setOmeroGroup(old)
+
finally:
cA.__del__()
cB.__del__()
comment:4 Changed 6 years ago by jamoore
NB: See #10216
comment:5 Changed 6 years ago by wmoore
comment:6 Changed 6 years ago by jamoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from new to closed
comment:7 Changed 6 years ago by jmoore <josh@…>
(In [b121c887e5722c2a033b585fa23db1576b17ff25/ome.git] on branch develop) Default to "r" mode if IAdmin.canUpdate fails (Fix #10657)
Any call to RawFileStore.setFileId with omero.group set to -1
was failing with an InternalException? because IAdmin.canUpdate
was throwing. With this change, RawFileBean? assumes that if
canUpdate fails that the mode should be "r", meaning no changes
are permissible to the file. Callers will need to explicitly
change the group id for "rw" behavior.
The major concern with this solution is that the action is silent:
even the owner of the file if calling with "-1" will not be able
to make changes.
comment:8 Changed 6 years ago by Chris Allan <callan@…>
(In [bb0652d01e5e0344e5167b5a312778a558d6b0f9/ome.git] on branch develop) Merge pull request #1011 from joshmoore/10657-setFileId
Default to "r" mode if IAdmin.canUpdate fails (Fix #10657)
For 2 regular users in the same read-only group, this is a reproducing script:
import sys sys.path.insert(0, "lib/python") import omero import omero.gateway cA = omero.client("localhost") try: cA.createSession("10657a", "ome") gA = omero.gateway.BlitzGateway(client_obj=cA) except: print "No cA" cB = omero.client("localhost") try: cB.createSession("10657b", "ome") gB = omero.gateway.BlitzGateway(client_obj=cB) gB.SERVICE_OPTS.setOmeroGroup(-1) except: print "No cB" try: faA = gA.createFileAnnfromLocalFile("bin/omero") faB = gB.getObject("FileAnnotation", faA.id) print "".join([x for x in faA.getFileInChunks()][0:1])[0:21] print "".join([x for x in faB.getFileInChunks()][0:1])[0:21] finally: cA.__del__() cB.__del__()