Task #9474 (closed)
BUG: admins don't have edit permission on objects
Reported by: | cneves | Owned by: | jamoore |
---|---|---|---|
Priority: | blocker | Milestone: | OMERO-4.4.4 |
Component: | OmeroPy | Version: | n.a. |
Keywords: | n.a. | Cc: | omero-team@… |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2012-08-28 (3) |
Description
Retrieving an image for which group the admin user isn't a member of (using omero.group=-1) the permissions for the object show admins not able to edit.
using omero@develop + https://github.com/cneves/openmicroscopy/tree/postdecorators/7202_unittest_review
bash-3.2$ ICE_CONFIG=../../../dist/etc/ice.config PYTHONPATH=$PYTHONPATH:.:test/ python setup.py test -s test.gatewaytest.chmod.DefaultSetupTest.testAuthorCanEdit WARNING: '' not a valid package name; please use only.-separated package names in setup.py running test running egg_info writing target/omero_client.egg-info/PKG-INFO writing top-level names to target/omero_client.egg-info/top_level.txt writing dependency_links to target/omero_client.egg-info/dependency_links.txt reading manifest file 'target/omero_client.egg-info/SOURCES.txt' writing manifest file 'target/omero_client.egg-info/SOURCES.txt' running build_ext testAuthorCanEdit (test.gatewaytest.chmod.DefaultSetupTest) ... FAIL ====================================================================== FAIL: testAuthorCanEdit (test.gatewaytest.chmod.DefaultSetupTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/Users/cn/work/glencoe/omero/github/openmicroscopy/components/tools/OmeroPy/test/gatewaytest/chmod.py", line 478, in testAuthorCanEdit self.assertTrue(i.canEdit(), "Admin can edit Author's image") AssertionError: Admin can edit Author's image ---------------------------------------------------------------------- Ran 1 test in 3.557s FAILED (failures=1)
Change History (5)
comment:1 Changed 12 years ago by jmoore
- Milestone changed from Unscheduled to OMERO-4.4.2
comment:2 Changed 12 years ago by jmoore
- Sprint set to 2012-08-28 (3)
- Status changed from new to accepted
comment:3 Changed 12 years ago by jmoore
The problem is that CurrentDetails.isGraphCritical is returning true. It checks only whether or not world-read OR group-read is activated. Since this method is being called with group=-1 there are NO permissions for the current group, and therefore it is graph critical.
We'll need to make use of any cached group-per-object data or re-load the objects group.
comment:4 Changed 12 years ago by jmoore
- Cc omero-team@… added
- Resolution set to fixed
- Status changed from accepted to closed
Fix available on https://github.com/openmicroscopy/openmicroscopy/pull/292 for testing. Carlos to do initial testing. As mentioned on the PR, though, this could have very serious repercussions. Keep an eye out for any permissions-related weirdness.
comment:5 Changed 12 years ago by jmoore <josh@…>
- Remaining Time set to 0
(In [626912d44727e13fbc3fb2ff02ee9eefbbd13549/ome.git] on branch develop) Fix canEdit for admins (Fix #9474)
This was a good deal more complicated than would might
have expected. In order to handle the group==-1 case,
it was necessary to pass in the details to isGraphCritical.
However, to be able to simultaneously check each of the
different types of writes (ANNOTATE, EDIT, DELETE, LINK)
it was necessary to re-work allowUpdateOrDelete to check
multiple at the same time.
Feel free to put these in the current milestone.