Task #8798 (closed)
BUG: object permissions not being overridden by group permissions
| Reported by: | cneves | Owned by: | jamoore |
|---|---|---|---|
| Priority: | blocker | Milestone: | OMERO-4.4 |
| Component: | Security | Version: | n.a. |
| Keywords: | n.a. | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | 2012-05-22 (15) |
Description
This test is based on:
checkout omero/develop @ 96506ecd11be73a91799eb4fb6282eb1a76b0c63
merge josh/2874-chmod @ a6f37a30e37d686992ca78125900fa46d6772691
merge cneves/feature/7202_unittest_review @ aac34ce9bef88c52a79bb308c8c789fbf48ba110
All the above with all conflicts resolved can be found in cneves @ 183ea249d71c8e9dae3a4f7e14d16f191d070b37
The test gatewaytest.user.UserTest?.testGroupOverObjPermissions creates a project on a rw---- group, which has the side effect of creating the object with the same permissions. After changing the group permissions to rwrw-- an experimenter that is part of the group but not the object owner gets a SecurityViolation? when trying to fetch the project.
If I change the object (not group) permissions to rwrw-- directly on the DB it all works as expected.
Change History (4)
comment:1 Changed 12 years ago by jmoore
- Component changed from General to Security
- Milestone changed from Unscheduled to OMERO-Beta4.4
- Priority changed from major to blocker
- Remaining Time set to 0.25
- Sprint set to 2012-05-22 (15)
- Status changed from new to accepted
comment:2 Changed 12 years ago by jmoore
- Remaining Time changed from 0.25 to 0
- Resolution set to fixed
- Status changed from accepted to closed
comment:3 Changed 12 years ago by jmoore <josh@…>
(In [f074c59c3cd3eccd354b2ccf209038ee73aef7dd/ome.git] on branch develop) Load group for every logic in BasicACLVoter.allowLoad (Fix #8798)
Since the current group is ID=-1 when in the AllGroupsSecurityFilter?,
the current group permissions are EMPTY. Therefore, we now pass the
session into all ACLVoter implementations in order to allow loading
the requested object's group.
comment:4 Changed 12 years ago by jmoore <josh@…>
(In [f93f93e3ee9ae0a599b07d932e02c02e1bad74df/ome.git] on branch develop) Force loading of group permissions when null! (See #8798, #8861)
This is a nasty workaround. For every object, it's
hitting the database to find out the permissions. If
we can't figure out why these permissions are null in
the first place, then the better solution will be to
introduce a GrouPermissionsCache? which keeps all of this
nice and tidy.
Pushed fix to will/chmod_web_8434 (as opposed to the branches Carlos was working on)
commit f074c59c3cd3eccd354b2ccf209038ee73aef7dd Author: jmoore <josh@glencoesoftware.com> Date: Tue May 15 14:24:15 2012 +0200 Load group for every logic in BasicACLVoter.allowLoad (Fix #8798) Since the current group is ID=-1 when in the AllGroupsSecurityFilter, the current group permissions are EMPTY. Therefore, we now pass the session into all ACLVoter implementations in order to allow loading the requested object's group. components/server/src/ome/security/ACLEventListener.java | 2 +- components/server/src/ome/security/ACLVoter.java | 5 ++++- components/server/src/ome/security/CompositeACLVoter.java | 5 +++-- components/server/src/ome/security/SecurityFilter.java | 2 +- components/server/src/ome/security/SecurityFilterHolder.java | 4 ++-- components/server/src/ome/security/basic/AllGroupsSecurityFilter.java | 24 +++++++++--------------- components/server/src/ome/security/basic/BasicACLVoter.java | 5 +++-- components/server/src/ome/security/basic/OneGroupSecurityFilter.java | 2 +- components/server/src/ome/security/sharing/SharingACLVoter.java | 7 ++++--- components/server/test/ome/server/utests/sec/SecuritySystemTest.java | 10 +++++----- 10 files changed, 33 insertions(+), 33 deletions(-)