Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #1791 (closed)

Opened 9 years ago

Closed 9 years ago

Permissions : User photos broken

Reported by: jamoore Owned by: jamoore
Priority: blocker Milestone: OMERO-Beta4.2
Component: Security Version: 4.1
Keywords: n.a. Cc: atarkowska, jburel
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2010-05-13 (9)

Description

Similar to #1784 in which scripting was broken since scripts were only in one group, user photos are currently broken. Most actuely, IMetadata.loadAnnotations is failing with:

serverExceptionClass = "ome.conditions.SecurityViolation"
    message = "Cannot read ome.model.annotations.ExperimenterAnnotationLink:Id_1"
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

(which it shouldn't - bug 1), but more generally, once photos are added to a single group, they aren't loadable while logged into another group (bug 2).

One solution may be a fix similar to the one for #1784: there, 'shared' system objects were put in the "system" group and that was made permanently readable and linkable. The "user" group could become a space for similar, non-admin data.

This ticket is related to #1434

Change History (13)

comment:1 Changed 9 years ago by jmoore

r6094 contains an initial workaround for this (may change). Now, users can put items into the "user" group which will be above-and-beyond the group-security constraints, i.e. they will be queryable regardless of what group you're in.

comment:2 Changed 9 years ago by jmoore

  • Importance set to Mandatory
  • Sprint set to Sprint 2
  • Story Points set to 2
  • Type changed from defect to User Story

comment:3 Changed 9 years ago by jmoore

  • Type changed from User Story to Task

comment:4 Changed 9 years ago by jmoore

  • Sprint 2010-02-19 (3) deleted

comment:5 Changed 9 years ago by jmoore

  • Sprint set to 2010-03-19 (5)

comment:6 Changed 9 years ago by jmoore

  • Remaining Time set to 0.5

comment:7 Changed 9 years ago by jmoore

  • r6094 - WORLD use of "user" group

comment:8 Changed 9 years ago by jmoore

  • Remaining Time changed from 0.5 to 0
  • Resolution set to fixed
  • Status changed from new to closed

Handling as a part of #1794. The solution will be to have either an upload method for images which automatically moves them to the "user" group, or the client uses a special "IAdmin.moveToUser" method which knows to allow user images. The issues with #1798, which caused this problem to be seen, will handled separately. (Where it not for that bug, a user would have just not seen his/her images while logged into another group)

comment:9 Changed 9 years ago by atarkowska

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:10 Changed 9 years ago by atarkowska

If the OriginalFile? was created in the context of group permission rwrw-- and I would like to update that file in the context of group rwr--- it thrown an exception:

GroupSecurityViolation at /webclient/upload_myphoto/crop/

exception ::omero::GroupSecurityViolation
{
    serverStackTrace = ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_253(rwrw--) from rwr--- to rwr--- 
	at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:770)
	at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:616)
	at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:307)
	at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:181)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:372)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:349)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:287)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:155)
	at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:219)
	at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:99)
	at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:50)
	at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1206)
	at ome.logic.UpdateImpl.afterUpdate(UpdateImpl.java:287)
	at ome.logic.UpdateImpl.doAction(UpdateImpl.java:305)
	at ome.logic.UpdateImpl.doAction(UpdateImpl.java:295)
	at ome.logic.UpdateImpl.saveAndReturnObject(UpdateImpl.java:117)
	at ome.logic.AdminImpl.uploadMyUserPhoto(AdminImpl.java:468)
	at sun.reflect.GeneratedMethodAccessor1190.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:592)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at ome.security.basic.EventHandler.invoke(EventHandler.java:144)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at $Proxy63.uploadMyUserPhoto(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor1190.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:592)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:83)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:40)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at $Proxy63.uploadMyUserPhoto(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:592)
	at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179)
	at ome.services.throttling.Callback.run(Callback.java:56)
	at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56)
	at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:132)
	at ome.services.blitz.impl.AdminI.uploadMyUserPhoto_async(AdminI.java:374)
	at omero.api._IAdminTie.uploadMyUserPhoto_async(_IAdminTie.java:372)
	at omero.api._IAdminDisp.___uploadMyUserPhoto(_IAdminDisp.java:710)
	at omero.api._IAdminDisp.__dispatch(_IAdminDisp.java:1635)
	at IceInternal.Incoming.invoke(Incoming.java:159)
	at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
	at Ice.ConnectionI.message(ConnectionI.java:972)
	at IceInternal.ThreadPool.run(ThreadPool.java:577)
	at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)

    serverExceptionClass = ome.conditions.GroupSecurityViolation
    message = Cannot change permissions for ome.model.core.OriginalFile:Id_253(rwrw--) from rwr--- to rwr--- 
}

comment:11 Changed 9 years ago by atarkowska

  • Sprint changed from 2010-03-19 (5) to 2010-05-13 (9)

comment:12 Changed 9 years ago by jmoore

Ola, is one of the existing tests failling?

comment:13 Changed 9 years ago by jmoore

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [6997]) fix #1791 - permit changing permissions on common user group objects

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.82533 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!