Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] My users can see all the folders

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] My users can see all the folders


Chronological Thread 
  • From: Yoann Delattre <>
  • To: Chris Hyzer <>, "" <>
  • Subject: Re: [grouper-users] My users can see all the folders
  • Date: Wed, 08 Oct 2014 10:37:43 +0200

Thanks for your answer,

I ran some gsh to find if there is any privs for everyentity.

Something like this :

m1 = MemberFinder.findBySuject(GrouperSession.startRootSession, "GrouperAll");
m1.hasAdmin();
m1.hasAdminInStem();
m1.hasAttrAdmin();
m1.hasAttrDefAttrRead();
m1.hasAttrDefAttrUpdate();
m1.hasAttrOptin();
m1.hasAttrOptout();
m1.hasAttrRead();
m1.hasAttrUpdate();
m1.hasAttrView();
m1.hasCreate();
m1.hasGroupAttrRead();
m1.hasGroupAttrReadInStem();
m1.hasGroupAttrUpdate();
m1.hasGroupAttrUpdateInStem();
m1.hasOptin();
m1.hasOptinInStem();
m1.hasOptout();
m1.hasOptoutInStem();
m1.hasRead();
m1.hasReadInStem();
m1.hasStem();
m1.hasStemAttrRead();
m1.hasStemAttrUpdate();
m1.hasUpdate();
m1.hasUpdateInStem();
m1.hasView();
m1.hasViewInStem();

this line : m1.hasAttrAdmin();

return this :

edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:attrExternalSubjectInvite:externalSubjectInviteAttrDef,uuid=d69be84fd32843d1856d1b82c5461e76]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:attrExternalSubjectInvite:externalSubjectInviteDef,uuid=542da0d410bb4a349909953dd3e2acec]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:attrLoader:attributeDefLoaderDef,uuid=09544dcc864641ee86caeb5ead8b2eb2]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:attrLoader:attributeDefLoaderTypeDef,uuid=fb9c450a4a8249f68ffbd48993113bce]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:disciplines,uuid=d2e3410fe5a2475a80d972379d287468]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:disciplines:agora,uuid=3348f730260f450f9e958ce9ea553925]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:disciplines:e3p,uuid=a8dd648bf34a4ac6b4983bd4e9f74dc6]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:disciplines:epp,uuid=54ca890fdbc24b0fb81d048edb149cff]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:entities:entitySubjectIdentifierDef,uuid=1d54d3212bc44f25827da1033571d928]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:loaderLdap:grouperLoaderLdapDef,uuid=6e6654c0d1654d5a891d1f4656b50509]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:loaderLdap:grouperLoaderLdapValueDef,uuid=44a811f21d8d43e18f9e4912fea25e35]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:permissionLimits:limitsDef,uuid=81595408983d4506910598eb754f55ac]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:permissionLimits:limitsDefInt,uuid=5e2994a5771f477caf046f8e6ca1f2c1]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:permissionLimits:limitsDefMarker,uuid=c1d4e5830e1e4cbca36f90ed1f0b551b]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:rules:rulesAttrDef,uuid=3699aafff9a64bcb8dea7aa67d0598f6]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:rules:rulesTypeDef,uuid=b54a68effaa1483ba8698afbde4b66b1]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:userData:grouperUserDataDef,uuid=c5c82a4503ba46f5a83cf5b7d8eecf58]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:attribute:userData:grouperUserDataValueDef,uuid=c9f4c781b02e4bc39df0a45b93a9e0ec]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:legacy:attribute:legacyAttributeDef_grouperLoader,uuid=48bb96c75eee4c6b96a702888ab5c5ad]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:legacy:attribute:legacyAttributeDef_requireInGroups,uuid=cb6391f9519b40e3803bf766aee3491b]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:legacy:attribute:legacyGroupTypeDef_addIncludeExclude,uuid=24073b20ca304dd1957c6ba7ffa201db]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:legacy:attribute:legacyGroupTypeDef_grouperLoader,uuid=6cd4edcd3aa742b2a0307f3b553f9237]
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=etc:legacy:attribute:legacyGroupTypeDef_requireInGroups,uuid=e2a467af22cb43988ff41c97005e4b35]

I checked in liteUi and there is no admin attribute privileges for GrouperAll set on any of those attribute def ...

I looked into the grouper source and i think there is a problem with this method in Member.java class :

public Set<AttributeDef> hasAttrAdmin()
    throws GrouperException {
        Set<AttributeDef> attributeDefs = new LinkedHashSet<AttributeDef>();
        try {
            attributeDefs = GrouperSession.staticGrouperSession().getAttributeDefResolver().getAttributeDefsWhereSubjectHasPrivilege(
            this.getSubject(), AccessPrivilege.ADMIN
            );
        }
        catch (SubjectNotFoundException eSNF) {
            LOG.error( E.MEMBER_SUBJNOTFOUND + eSNF.getMessage());
        }
        return attributeDefs;
}


it should be this no ?

        try {
            attributeDefs = GrouperSession.staticGrouperSession().getAttributeDefResolver().getAttributeDefsWhereSubjectHasPrivilege(
            this.getSubject(), AttributeDefPrivilege.ATTR_ADMIN
            );
        }


But i'm confuse...

Why this line :
            attributeDefs = GrouperSession.staticGrouperSession().getAttributeDefResolver().getAttributeDefsWhereSubjectHasPrivilege(
            this.getSubject(), AccessPrivilege.ADMIN
            );

can return something despite the fact that AccessPrivilege.ADMIN is a group privilege ?


Thanks for your help,
Yoann.

Le 07/10/2014 18:24, Chris Hyzer a écrit :

Hmmmm….

 

There are no real view privileges on folders… it’s a little complicated to know which folders someone can see, its any folder that has a group/attributeDef/attributeDefName that the user can view in that folder or subfolder.  Maybe we need to see if we can make that happen

 

Thanks,

Chris

 

 

From: [] On Behalf Of Yoann Delattre
Sent: Tuesday, October 07, 2014 10:54 AM
To:
Subject: [grouper-users] My users can see all the folders

 

Hi,

In grouper 2.2, it's normal that my users can see all the folders ?

i already check, there are no privileges set for everyentity and in my grouper.properties, i have  :

groups.create.grant.all.read          = false

groups.create.grant.all.view          = false


Am i missing something ?

Thanks for your help,
Yoann.





Archive powered by MHonArc 2.6.16.

Top of Page