Task #1779 (closed)
Opened 14 years ago
Closed 14 years ago
BUG : permissions of non-group system types is influenced by current group
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | minor | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 4.1 |
Keywords: | n.a. | Cc: | |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2010-04-02 (6) |
Change History (7)
comment:1 Changed 14 years ago by jmoore
comment:2 Changed 14 years ago by cneves
Not sure this is related, but the offending line in the source code mentions this ticket.
I have an image in a group that has rwrw-- perms, and I attach an annotation. When I retrieve, change (only the value) and save that annotation I get:
File "/Users/cn/work/clients/glencoe/sandbox/beta4/sandbox2/dist/lib/python/omero_API_ice.py", line 2360, in saveAndReturnObject return _M_omero.api.IUpdate._op_saveAndReturnObject.invoke(self, ((obj, ), _ctx)) omero.GroupSecurityViolation: exception ::omero::GroupSecurityViolation { serverStackTrace = ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.annotations.CommentAnnotation:Id_34(rwrw--) from rwrwrw to rwrwrw at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:794) at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:627) at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:309) at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:183) (...)
The offending code is in OmeroInterceptor?:
// see https://trac.openmicroscopy.org.uk/omero/ticket/1776 Permissions groupPerms = currentUser.getCurrentEventContext() .getCurrentGroupPermissions(); if (!sysType && !groupPerms.sameRights(currentP))) { // ticket:1779 throw new GroupSecurityViolation(String.format( "Cannot change permissions for %s(%s) from %s to %s ", obj, groupPerms, tmpPreviousP, currentP)); }
specifically, groupPerms allow the user to save the object (g+w) but this snippet tests if the permissions are about to change, only comparing object permissions against group permissions, and then stating the permissions would change (when, in fact they remain the same, afaict).
Adding an extra check to see if the object's permissions are identical does the trick for me:
// see https://trac.openmicroscopy.org.uk/omero/ticket/1776 Permissions groupPerms = currentUser.getCurrentEventContext() .getCurrentGroupPermissions(); if (!sysType && !groupPerms.sameRights(currentP) && !currentP.identical(tmpPreviousP)) { // ticket:1779 throw new GroupSecurityViolation(String.format( "Cannot change permissions for %s(%s) from %s to %s ", obj, groupPerms, tmpPreviousP, currentP)); }
but I have no idea if I grasped this correctly or not...
comment:3 Changed 14 years ago by jmoore
Carlos, this is a different issue. I'm going to subsume it into #1731 and include the addition of the PermissionsMismatch exception suggested on WorkPlan/Permissions.
comment:4 Changed 14 years ago by jmoore
- Summary changed from Permissions : permissions of non-group system types is influenced by current group to BUG : permissions of non-group system types is influenced by current group
- Type changed from Bug to Task
comment:5 Changed 14 years ago by jmoore
- Remaining Time set to 0.5
- Sprint set to 2010-04-02 (6)
comment:6 Changed 14 years ago by jmoore
- Status changed from new to assigned
comment:7 Changed 14 years ago by jmoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from assigned to closed
r6057