Task #1776 (closed)
Permissions : Prevent inappropriate permission changes in IObjects
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | major | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 4.1 |
Keywords: | n.a. | Cc: | jburel, atarkowska, cxallan |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
This ticket is a part of #1434
With group security, the permission column for all IObjects other than ExperimenterGroup is largely obsolete (and may be removed in future versions). However, as long as the field exists, we should guarantee that it isn't inappropriately changed. (Note: changes to the SecurityFilter in #1771 already ignore the row-level permissions for most things)
- all READ permissions should be synced with the group permissions.
- WRITE permissions will continue to be used for the present.
Change History (8)
comment:1 Changed 14 years ago by jmoore
comment:2 Changed 14 years ago by jmoore
r6054 matches all READ and WRITE permissions to match that of the group. (i.e. no individual object modifications are allowed). Instead, wider changes are permitted via changePermissions(ExperimenterGroup)
comment:3 Changed 14 years ago by jmoore
r6056 includes a fix for IAdmin.updateGroup so that if permissions are non-null, then changePermissions() will be called internally.
comment:4 Changed 14 years ago by jmoore
r6058 fixes an issue in updateGroup() when permissions have been modified.
comment:5 Changed 14 years ago by jmoore
Note: it may be of use for clients to generally use the group.getDetails().getPermissions() or the eventContext.groupPermissions objects as a basis for creating new permissions to prevent mistakes. For example, --r--- is not a valid permissions object so the following code will (currently) fail:
p = omero.model.PermissionsI() p.setGroupRead(True) iAdmin.changePermissions( myGroup, p)
comment:6 Changed 14 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
r6107 removes a last "NYI" related to the previous comment. We may want to expand the supported transitions later, but closing for now.
comment:7 Changed 14 years ago by jmoore
comment:8 Changed 14 years ago by jmoore
see #2873
r6052 contains a check that guarantees that READ permissions for GROUP & WORLD are identical with those of the group object. (We still haven't decided what ------ means, so it's not being checked for.)