Task #445 (closed)
Logging in as root with a non-system group prevents administration.
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | minor | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 3.0-M3 |
Keywords: | login | Cc: | |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
Not completely sure if this is a feature or a bug, but a root login of the form:
Login rootLogin = new Login(root, pass, "user", "Test"); ServiceFactory rootSF = new ServiceFactory(rootLogin);
will not be able to perform (all) admin tasks, such as updating GroupExperimenterMaps?:
Created group:ExperimenterGroup:Id_206 Exception in thread "main" ome.conditions.SecurityViolation: Updating GroupExperimenterMap:Id_714 not allowed. at ome.security.basic.BasicACLVoter.throwUpdateViolation(BasicACLVoter.java:139) at ome.security.ACLEventListener.onPreUpdate(ACLEventListener.java:163) at org.hibernate.action.EntityUpdateAction.preUpdate(EntityUpdateAction.java:220) at org.hiberna
Changing "user" to "system" in the login above prevents the exception.
Change History (3)
comment:1 Changed 14 years ago by jmoore
- Milestone changed from Unscheduled to OMERO-Beta4.2
comment:2 Changed 14 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
Now system and group admins do not have to log into a group to have admin rights over a particular group. This was necessary, because group-security (#1434) requires that a user log (even an admin) into a group in order to see data. This reduces the changes of mixing of groups. But if an admin had to login to "system" to have admin rights, then there would be no way to see any data outside of "system". (See #1769 which may say it would be sensible for admins to not see anything outside of system)
comment:3 Changed 14 years ago by jmoore
- Type changed from Bug to Task
This must also be fixed as a part of #1434