Task #1791 (closed)
Opened 15 years ago
Closed 14 years ago
Permissions : User photos broken
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | blocker | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 4.1 |
Keywords: | n.a. | Cc: | atarkowska, jburel |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2010-05-13 (9) |
Description
Similar to #1784 in which scripting was broken since scripts were only in one group, user photos are currently broken. Most actuely, IMetadata.loadAnnotations is failing with:
serverExceptionClass = "ome.conditions.SecurityViolation" message = "Cannot read ome.model.annotations.ExperimenterAnnotationLink:Id_1" at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
(which it shouldn't - bug 1), but more generally, once photos are added to a single group, they aren't loadable while logged into another group (bug 2).
One solution may be a fix similar to the one for #1784: there, 'shared' system objects were put in the "system" group and that was made permanently readable and linkable. The "user" group could become a space for similar, non-admin data.
This ticket is related to #1434
Change History (13)
comment:1 Changed 15 years ago by jmoore
comment:2 Changed 15 years ago by jmoore
- Importance set to Mandatory
- Sprint set to Sprint 2
- Story Points set to 2
- Type changed from defect to User Story
comment:3 Changed 15 years ago by jmoore
- Type changed from User Story to Task
comment:4 Changed 15 years ago by jmoore
- Sprint 2010-02-19 (3) deleted
comment:5 Changed 15 years ago by jmoore
- Sprint set to 2010-03-19 (5)
comment:6 Changed 15 years ago by jmoore
- Remaining Time set to 0.5
comment:7 Changed 15 years ago by jmoore
- r6094 - WORLD use of "user" group
comment:8 Changed 15 years ago by jmoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from new to closed
Handling as a part of #1794. The solution will be to have either an upload method for images which automatically moves them to the "user" group, or the client uses a special "IAdmin.moveToUser" method which knows to allow user images. The issues with #1798, which caused this problem to be seen, will handled separately. (Where it not for that bug, a user would have just not seen his/her images while logged into another group)
comment:9 Changed 14 years ago by atarkowska
- Resolution fixed deleted
- Status changed from closed to reopened
comment:10 Changed 14 years ago by atarkowska
If the OriginalFile? was created in the context of group permission rwrw-- and I would like to update that file in the context of group rwr--- it thrown an exception:
GroupSecurityViolation at /webclient/upload_myphoto/crop/ exception ::omero::GroupSecurityViolation { serverStackTrace = ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_253(rwrw--) from rwr--- to rwr--- at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:770) at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:616) at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:307) at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:181) at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:372) at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:349) at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:287) at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:155) at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:219) at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:99) at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:50) at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1206) at ome.logic.UpdateImpl.afterUpdate(UpdateImpl.java:287) at ome.logic.UpdateImpl.doAction(UpdateImpl.java:305) at ome.logic.UpdateImpl.doAction(UpdateImpl.java:295) at ome.logic.UpdateImpl.saveAndReturnObject(UpdateImpl.java:117) at ome.logic.AdminImpl.uploadMyUserPhoto(AdminImpl.java:468) at sun.reflect.GeneratedMethodAccessor1190.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.EventHandler.invoke(EventHandler.java:144) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy63.uploadMyUserPhoto(Unknown Source) at sun.reflect.GeneratedMethodAccessor1190.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:83) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:40) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy63.uploadMyUserPhoto(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179) at ome.services.throttling.Callback.run(Callback.java:56) at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56) at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:132) at ome.services.blitz.impl.AdminI.uploadMyUserPhoto_async(AdminI.java:374) at omero.api._IAdminTie.uploadMyUserPhoto_async(_IAdminTie.java:372) at omero.api._IAdminDisp.___uploadMyUserPhoto(_IAdminDisp.java:710) at omero.api._IAdminDisp.__dispatch(_IAdminDisp.java:1635) at IceInternal.Incoming.invoke(Incoming.java:159) at Ice.ConnectionI.invokeAll(ConnectionI.java:2037) at Ice.ConnectionI.message(ConnectionI.java:972) at IceInternal.ThreadPool.run(ThreadPool.java:577) at IceInternal.ThreadPool.access$100(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971) serverExceptionClass = ome.conditions.GroupSecurityViolation message = Cannot change permissions for ome.model.core.OriginalFile:Id_253(rwrw--) from rwr--- to rwr--- }
comment:11 Changed 14 years ago by atarkowska
- Sprint changed from 2010-03-19 (5) to 2010-05-13 (9)
comment:12 Changed 14 years ago by jmoore
Ola, is one of the existing tests failling?
comment:13 Changed 14 years ago by jmoore
- Resolution set to fixed
- Status changed from reopened to closed
r6094 contains an initial workaround for this (may change). Now, users can put items into the "user" group which will be above-and-beyond the group-security constraints, i.e. they will be queryable regardless of what group you're in.