Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

https://bugs.internet2.edu/jira/browse/GRP-1420

Fixed in API 2.3.0 patch #43

Note, the fix should work in other places that are affected. If the session 
acting as is GrouperSystem (and from a session, not from the actual ActAs 
like in WS), then ignore it...

Try it out and let me know how it goes.

Thanks
Chris

-----Original Message-----
From: Chad Redman (JIRA) 
[mailto:]
 
Sent: Thursday, November 17, 2016 11:50 AM
To: Hyzer, Chris 
<>
Subject: [JIRA] (GRP-1420) Member removal from group shows recent activity as 
GrouperSystem

Chad Redman created GRP-1420:
--------------------------------

             Summary: Member removal from group shows recent activity as 
GrouperSystem
                 Key: GRP-1420
                 URL: https://bugs.internet2.edu/jira/browse/GRP-1420
             Project: Grouper
          Issue Type: Improvement
      Security Level: Standard (Standard bug, may impact functionality but 
does not represent a security vulnerability)
          Components: UI
    Affects Versions: 2.3.0, 2.4.0
            Reporter: Chad Redman
            Assignee: Chris Hyzer


When adding a member to a group, Grouper stores the action in the audit log 
with ACT_AS_MEMBER_ID field as the logged in user. However, removing a user 
will store the entry with ACT_AS_MEMBER_ID as the GrouperSystem subject. In 
both cases, the LOGGED_IN_MEMBER_ID field is the logged in user.

The recent activity page in the UI queries the act_as_member_id to populate 
its list of recent actions. Thus, membership adds show up under the user's 
recent activity, but deletes show up under GrouperSystem's.

UiV2Group::removeMembers performs member removals as GrouperSystem, with the 
source code comment "subject has update, so this operation as root in case 
removing affects the membership". So the audit logging is working as 
designed. However, it is unexpected for the users, who can see member adds 
but not deletes.


h3. Steps to reproduce

# Load the sample quick start data
# Log in as GrouperSystem
# Create test group qsuob:test:AdminAccess
# Grant admin to "babe" (Barry Benson)
# In tomcat, add "babe" to the tomcat-users.xml if needed
# In a different browser, login as "babe"
# Go to qsuob:test:AdminAccess
# Add bawi (Barry Windsor) as member
# Remove Barry Windsor as member
# Go to Recent Activity


h3. Result

- Recent activity for Barry Benson shows: Added Barry Windsor as a member of 
the AdminAccess group.
- Recent activity for GrouperSystem shows: Deleted Barry Windsor as a member 
of the AdminAccess group.




--
This message was sent by Atlassian JIRA
(v6.4.11#64026)