Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #445 (closed)

Opened 18 years ago

Closed 14 years ago

Last modified 14 years ago

Logging in as root with a non-system group prevents administration.

Reported by: jamoore Owned by: jamoore
Priority: minor Milestone: OMERO-Beta4.2
Component: Security Version: 3.0-M3
Keywords: login Cc:
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

Not completely sure if this is a feature or a bug, but a root login of the form:

	Login rootLogin = new Login(root, pass, "user", "Test");
	ServiceFactory rootSF = new ServiceFactory(rootLogin);

will not be able to perform (all) admin tasks, such as updating GroupExperimenterMaps?:

Created group:ExperimenterGroup:Id_206
Exception in thread "main" ome.conditions.SecurityViolation: Updating GroupExperimenterMap:Id_714 not allowed.
	at ome.security.basic.BasicACLVoter.throwUpdateViolation(BasicACLVoter.java:139)
	at ome.security.ACLEventListener.onPreUpdate(ACLEventListener.java:163)
	at org.hibernate.action.EntityUpdateAction.preUpdate(EntityUpdateAction.java:220)
	at org.hiberna

Changing "user" to "system" in the login above prevents the exception.

Change History (3)

comment:1 Changed 14 years ago by jmoore

  • Milestone changed from Unscheduled to OMERO-Beta4.2

This must also be fixed as a part of #1434

comment:2 Changed 14 years ago by jmoore

  • Resolution set to fixed
  • Status changed from new to closed

Now system and group admins do not have to log into a group to have admin rights over a particular group. This was necessary, because group-security (#1434) requires that a user log (even an admin) into a group in order to see data. This reduces the changes of mixing of groups. But if an admin had to login to "system" to have admin rights, then there would be no way to see any data outside of "system". (See #1769 which may say it would be sensible for admins to not see anything outside of system)

comment:3 Changed 14 years ago by jmoore

  • Type changed from Bug to Task
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.66664 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!