Task #8711 (closed)
Bug: Permission in Private group
| Reported by: | jburel | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-4.4 |
| Component: | Services | Version: | n.a. |
| Keywords: | n.a. | Cc: | wmoore, rkferguson |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | 2012-05-22 (15) |
Description
Context:
- Private group
- User is group owner or admin
- canEdit method returns true but a security violation error is returned if the user tries to edit the name of an object (image for example)
Choice:
- Either fix the security Violation
- Or canEdit return false.
Tests pushed to "jburel/permission".
Currently for a group owner or and admin
Change History (5)
comment:1 Changed 12 years ago by jmoore
- Cc wmoore rkferguson added
- Remaining Time set to 0.5
comment:2 Changed 12 years ago by wmoore
if canLink() and canEdit() are both false for Admin/Owner? of private group then we are OK?
comment:3 Changed 12 years ago by jburel
Due to time, it is be better to have canEdit and canLink returning false.
comment:4 Changed 12 years ago by jmoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from new to closed
canEdit now false for admin in priv. group. Pushed to will/chmod_web_8434
comment:5 Changed 12 years ago by jmoore <josh@…>
(In [b2a195203a6598a1fbf6aa03f4850f8860e01ae9/ome.git] on branch develop) Remove canEdit from admin in private group (Fix #8711)
In other words, in a graph critical situation, not only
can the admin or group owner not link but they can also
not edit the data. Only delete should be possible.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
So there is a deeper issue in hibernate preventing canLink and canEdit from being different (but not canDelete). We should discuss.