Task #8712 (closed)
Bug: Member and read permissions
Reported by: | jburel | Owned by: | jburel |
---|---|---|---|
Priority: | blocker | Milestone: | OMERO-4.4 |
Component: | Services | Version: | n.a. |
Keywords: | n.a. | Cc: | jamoore |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | 2012-05-22 (15) |
Description
A basic user in RW, RWR, or RWRA is able to delete other member's data.
Test available in jburel/permission
Change History (10)
comment:1 Changed 12 years ago by jmoore
comment:2 Changed 12 years ago by jmoore
I'm guessing RolesTest.testInteraction?
- for rw, the report returned is "Object missing."
- for rwr, it's also not actually deleting the object.
We'll need to modify the tests to test for deletion, and perhaps open a bug to have an error raised if the top-level object is not found (this goes for chgrp, too).
comment:3 Changed 12 years ago by jburel
I will review the tests and check that we have something in place for the DeleteServicePermission tests
comment:4 Changed 12 years ago by wmoore
I find that a member of 'rwrw--' is NOT able to delete another user's data. See #8723.
comment:5 Changed 12 years ago by jburel
tests reviewed/modified:
- chmod/Roles:
- Failing: testInteractionByAdminRW and testInteractionByGroupOwnerRW, both awaiting the change of canEdit discussed above.
- DeleteServicePermissionsTest
- failing testDeleteObjectByMemberRWRW
comment:6 Changed 12 years ago by jmoore
- Cc jmoore added
- Owner changed from jmoore to jburel
@chmod_web_8434 /tmp/scratch $ ./build.py -Dtestng.verbose=10 -Dtestng.useDefaultListeners=true -f components/tools/OmeroJava/build.xml test -DTEST=RolesTest ... PASSED: testInteractionByAdminRW on instance null(integration.chmod.RolesTest) PASSED: testInteractionByAdminRWR on instance null(integration.chmod.RolesTest) PASSED: testInteractionByAdminRWRA on instance null(integration.chmod.RolesTest) PASSED: testInteractionByAdminRWRW on instance null(integration.chmod.RolesTest) PASSED: testInteractionByGroupOwnerRWR on instance null(integration.chmod.RolesTest) PASSED: testInteractionByGroupOwnerRWRA on instance null(integration.chmod.RolesTest) PASSED: testInteractionByGroupOwnerRWRW on instance null(integration.chmod.RolesTest) PASSED: testInteractionByMemberRW on instance null(integration.chmod.RolesTest) PASSED: testInteractionByMemberRWR on instance null(integration.chmod.RolesTest) PASSED: testInteractionByMemberRWRA on instance null(integration.chmod.RolesTest) PASSED: testInteractionByMemberRWRW on instance null(integration.chmod.RolesTest) FAILED: testInteractionByGroupOwnerRW on instance null(integration.chmod.RolesTest) junit.framework.AssertionFailedError: Group owner should not be allowed to delete an image/dataset link. at junit.framework.Assert.fail(Assert.java:47) at integration.chmod.RolesTest.testInteractionByGroupOwnerRW(RolesTest.java:239) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:74) at org.testng.internal.Invoker.invokeMethod(Invoker.java:673) at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:846) at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1170) at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125) at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109) at org.testng.TestRunner.runWorkers(TestRunner.java:1125) at org.testng.TestRunner.privateRun(TestRunner.java:749) at org.testng.TestRunner.run(TestRunner.java:600) at org.testng.SuiteRunner.runTest(SuiteRunner.java:317) at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:312) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:274) at org.testng.SuiteRunner.run(SuiteRunner.java:223) at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52) at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86) at org.testng.TestNG.runSuitesSequentially(TestNG.java:1007) at org.testng.TestNG.runSuitesLocally(TestNG.java:932) at org.testng.TestNG.run(TestNG.java:868) at org.testng.TestNG.privateMain(TestNG.java:1150) at org.testng.TestNG.main(TestNG.java:1114) =============================================== Ant test Tests run: 12, Failures: 1, Skips: 0 =============================================== ...
Tests all seem to be passing except for the status of a group-owner, which was discussed today. Passing back to you, J-M, for handling. (We really should have a place for tests which test the difference between client and server expectations. Any ideas?)
comment:7 Changed 12 years ago by jburel
I will add more test for the difference between the 2 following today's discussion
comment:8 Changed 12 years ago by jburel
- Status changed from new to closed
comment:9 Changed 12 years ago by jburel <j.burel@…>
(In [68378aabf1b8004cd027573a4994afa704e37a59/ome.git] on branch develop) Review permissions test (see #8712).
comment:10 Changed 12 years ago by jburel <j.burel@…>
(In [bcbef5b9011b02828e320847f78ba1bdb8d6bfdf/ome.git] on branch develop) Review test following permission discussion. (see #8712)
Jean-Marie, specifically what test?