Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #12763 (new)

Opened 5 years ago

Last modified 4 years ago

Bug: 500 in web uncaught on user deactivation

Reported by: jamoore Owned by: wmoore
Priority: major Milestone: Unscheduled
Component: Web Version: 5.0.8
Keywords: n.a. Cc: ux@…
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

While testing https://github.com/openmicroscopy/openmicroscopy/pull/3441, a ServerError? 500 was raised when the user was no longer active while trying to open the browser hierarchy.

Traceback (most recent call last):

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/django/core/handlers/base.py", line 114, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omeroweb/decorators.py", line 469, in wrapped
    retval = f(request, *args, **kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omeroweb/decorators.py", line 519, in wrapper
    context = f(request, *args, **kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omeroweb/webclient/views.py", line 489, in load_data
    manager.listOrphanedImages(filter_user_id, page)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omeroweb/webclient/controller/container.py", line 462, in listOrphanedImages
    self.experimenter = self.conn.getObject("Experimenter", eid)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omero/gateway/__init__.py", line 2918, in getObject
    query, params, self.SERVICE_OPTS)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omero/gateway/__init__.py", line 4103, in __call__
    return self.handle_exception(e, *args, **kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omeroweb/webclient/webclient_gateway.py", line 2069, in handle_exception
    e, *args, **kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omero/gateway/__init__.py", line 4100, in __call__
    return self.f(*args, **kwargs)

  File "/opt/hudson/workspace/OMERO-5.1-merge-deploy/src/dist/lib/python/omero_api_IQuery_ice.py", line 201, in findByQuery
    return _M_omero.api.IQuery._op_findByQuery.invoke(self, ((query, params), _ctx))

SecurityViolation: exception ::omero::SecurityViolation
{
    serverStackTrace = ome.conditions.SecurityViolation: No matching roles found in [a080dc22-b8d6-4209-a0b3-696321b3981e] for session 430b6190-3b59-4c79-9557-a5272d0cd103 (allowed: [user])
	at ome.security.basic.BasicMethodSecurity.checkMethod(BasicMethodSecurity.java:137)
	at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:81)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at com.sun.proxy.$Proxy80.findByQuery(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179)
	at ome.services.throttling.Callback.run(Callback.java:56)
	at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56)
	at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:149)
	at ome.services.blitz.impl.QueryI.findByQuery_async(QueryI.java:92)
	at sun.reflect.GeneratedMethodAccessor409.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at omero.cmd.CallContext.invoke(CallContext.java:78)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at com.sun.proxy.$Proxy81.findByQuery_async(Unknown Source)
	at omero.api._IQueryTie.findByQuery_async(_IQueryTie.java:122)
	at omero.api._IQueryDisp.___findByQuery(_IQueryDisp.java:354)
	at omero.api._IQueryDisp.__dispatch(_IQueryDisp.java:520)
	at IceInternal.Incoming.invoke(Incoming.java:159)
	at Ice.ConnectionI.invokeAll(ConnectionI.java:2357)
	at Ice.ConnectionI.dispatch(ConnectionI.java:1208)
	at Ice.ConnectionI.message(ConnectionI.java:1163)
	at IceInternal.ThreadPool.run(ThreadPool.java:302)
	at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:643)
	at java.lang.Thread.run(Thread.java:744)

    serverExceptionClass = ome.conditions.SecurityViolation
    message = No matching roles found in [a080dc22-b8d6-4209-a0b3-696321b3981e] for session 430b6190-3b59-4c79-9557-a5272d0cd103 (allowed: [user])
}


<WSGIRequest
path:/merge/webclient/load_data/orphaned/,
GET:<QueryDict: {u'view': [u'icon']}>,
POST:<QueryDict: {}>,
COOKIES:{'csrftoken': 'PdhATU5Xarr9bMXIiGkn9aEA6seE9ZkH',
 'sessionid': 'cfy7t2if9lx9f39yv4ak36acuc3eczn9'},
META:{'CONTENT_LENGTH': '',
 'CONTENT_TYPE': '',
 u'CSRF_COOKIE': u'PdhATU5Xarr9bMXIiGkn9aEA6seE9ZkH',
 'HTTPS': 'on',
 'HTTP_ACCEPT': 'text/html, */*; q=0.01',
 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, sdch',
 'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8,de;q=0.6',
 'HTTP_CONNECTION': 'keep-alive',
 'HTTP_COOKIE': 'csrftoken=PdhATU5Xarr9bMXIiGkn9aEA6seE9ZkH; sessionid=cfy7t2if9lx9f39yv4ak36acuc3eczn9',
 'HTTP_HOST': 'trout.openmicroscopy.org',
 'HTTP_REFERER': 'https://trout.openmicroscopy.org/merge/webclient/',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36',
 'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest',
 'PATH_INFO': u'/webclient/load_data/orphaned/',
 'QUERY_STRING': 'view=icon',
 'REQUEST_METHOD': 'GET',
 'SCRIPT_INFO': '/merge',
 'SCRIPT_NAME': u'/merge',
 'SERVER_NAME': 'ome-c6100-3',
 'SERVER_PORT': '443',
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x6354410>,
 'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x6c66fd0>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 0)}>

Change History (11)

comment:1 Changed 5 years ago by atarkowska

Perhaps user deactivation should also kill all active sessions?

comment:2 Changed 5 years ago by wmoore

  • Owner set to wmoore

Sorry - Josh, how did you get this? You logged in as a user, then as an Admin you disabled that user? Then the user got this error?

comment:3 Changed 5 years ago by wmoore

  • Component changed from General to Web

comment:4 Changed 5 years ago by jamoore

  • login as user A
  • in another browser, login as root and deactivate user A
  • as user A, try to do anything --> 500

comment:5 Changed 5 years ago by wmoore

I think the nicest solution as Ola suggests is to log out the user when they are deactivated.
Is that possible?
Adding exception handling for this to all API calls would be a lot of work for a very edge-case scenario.

comment:6 Changed 5 years ago by jamoore

We can easily change the exception if that would help.

As for closing all the sessions, that likely falls under "a lot of work" as well. Would a single method "openSessionForUser" suffice which the client could invoke and actively kill before deactivating? Alternatively, ISession.getMyOpenSession exists which could be used via a sudo.

comment:7 Changed 5 years ago by jamoore

  • Milestone changed from 5.1.1 to 5.1.2

Likely going with the exception solution, but not for 5.1.1

comment:8 Changed 5 years ago by wmoore

  • Milestone changed from 5.1.2 to 5.1.3

comment:9 Changed 4 years ago by jamoore

  • Milestone changed from 5.1.4 to OMERO-5.1.4

Splitting 5.1.4 due to milestone decoupling

comment:10 Changed 4 years ago by sbesson

  • Milestone changed from OMERO-5.1.4 to 5.x

As discussed with Will earlier today, pushing the non-critical Web tickets out of 5.1.4

comment:11 Changed 4 years ago by jamoore

  • Milestone changed from 5.x to Unscheduled
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.145642 sec.)

We're Hiring!