grouper-users - [grouper-users] RE: [JIRA] (GRP-1418) removeMembers redirect to main page for non-wheel user with Admin priv but not update
Subject: Grouper Users - Open Discussion List
List archive
[grouper-users] RE: [JIRA] (GRP-1418) removeMembers redirect to main page for non-wheel user with Admin priv but not update
Chronological Thread
- From: "Hyzer, Chris" <>
- To: " Mailing List" <>
- Subject: [grouper-users] RE: [JIRA] (GRP-1418) removeMembers redirect to main page for non-wheel user with Admin priv but not update
- Date: Tue, 17 Jan 2017 07:59:48 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:HSFLvB8W8/Hinv9uRHKM819IXTAuvvDOBiVQ1KB20u0cTK2v8tzYMVDF4r011RmSDNmdsKwP0rOK+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFHiTanb75/LRq6oRjMusQZnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRRn1gykFKjE56nnahMxugqxGvBKvqR9xw4DWb4GUKPVwcazScMgGRWVaQspdSzBNDp++YoYJEuEPPfxYr474p1YWoxewBwmtBeLxxT9SnnP9wLM30+Q7EQHHxwwsEc8FvXPRrNrpNKcTUeG0w7fSzTjYbvNWwivy5JLVchA5v/6MW7RwfdDPxkYyCgPIl1OdopHrMTOS0+QCqWmb7+x4WOKujW4ntx9+oiKpxsgylonFmJgZxU7Z+iVkxos+ON62SFZjbNK6DJddtTuWOoR3T884Xm1luSg3xqcGtJO0ZCQG1ZoqywLFZ/GDboSE+AzvWPuVLDtimX5oerOyihCv+ka60OL8TNO70FNSoypFjNbMsncN2gTL5MWbTfVx4lmt1S+R2g/R9+1IOEc0mrHFJJI7xb4wi4YTvl/EHi/rnkX5kbWadl0++uiv9+TofKnppoOdN49zjAHyKKMumtGjAeQ8NQgOWGub9f6g273k+E31WLRKjvsonanFqJ3WO9gXq6yjDwJa04sv8QuzAjao3dgCnXQKI0pJeBedgIjoP1HOLur4DfC6g1m0lTdk2/DGP73gA5rTNHjOi7bhfa1h5EJG1Qoz1c5Q55RSCr0bPv38R1LxuMTCDhAlKwy03/rnCNJl24MRQ2KPBbKZMLvMvl+S/+4vPvKMa5EPuDbmMPUl4//ujWQlmV8GY6Wlx5oXaHakHvt4OUWZZ2TjgssfHWsQoAUxUfHq2xW+VmsZaGy1Qrox/HQmE4+8Fq/CQJygmrqMwH39E5FLLkVPC1SNF3igU4SfR71EPC2IJdJ5nyZBSKOsUZQJ1BeyuRX8xqY9aOfY53tLm4jk0Y0/x/zBmAt2vRd0FcWGmSnZSmp0j3EFXRc3x6s5vFRwzFHF3KRl1a8LXedP7u9EB19pfaXXyPZ3Xoj/
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
https://bugs.internet2.edu/jira/browse/GRP-1418
fixed in 2.3.0 ui patch #13.
Note, both issues are fixed.
Thanks,
Chris
-----Original Message-----
From: Chad Redman (JIRA)
[mailto:]
Sent: Thursday, November 17, 2016 11:12 AM
To: Hyzer, Chris
<>
Subject: [JIRA] (GRP-1418) removeMembers redirect to main page for non-wheel
user with Admin priv but not update
[
https://bugs.internet2.edu/jira/browse/GRP-1418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24170#comment-24170
]
Chad Redman commented on GRP-1418:
----------------------------------
There is a similar issue in the same method, with privilege checking for
recentlyUsedMemberAdd() and recentlyUsedGroupAdd(). But the issue I noted
above where the removal does not appear in the recent activity is not from
this, but is from the audit log. The audit log is logging the removal as
being done by GrouperSystem, so it shows up under GrouperSystem's activity.
That's currently as intended; removals are done as GrouperSystem in case the
logged in user itself is removed. But it would be a useful enhancement to
show removals in the user's activity.
> removeMembers redirect to main page for non-wheel user with Admin priv but
> not update
> -------------------------------------------------------------------------------------
>
> Key: GRP-1418
> URL: https://bugs.internet2.edu/jira/browse/GRP-1418
> Project: Grouper
> Issue Type: Bug
> Security Level: Standard(Standard bug, may impact functionality but
> does not represent a security vulnerability)
> Components: UI
> Affects Versions: 2.3.0
> Reporter: Chad Redman
> Assignee: Chris Hyzer
>
> When removing users using the "Remove selected members" button, the
> behavior is different between wheel users and non-wheel users with an admin
> privilege on the group. For a user that has admin privilege, but not an
> explicit update privilege, removing selected users will redirect the user
> away from the group to the site home page.
> h3. Steps to reproduce
> # Load the sample quick start data
> # Log in as GrouperSystem
> # Create Group qsuob:test:AdminAccess
> # Don't grant anything to EveryEntity
> # Grant admin to babe (Barry Benson)
> # Add bawi (Barry Windsor) as member
> # Add "babe" to the tomcat-users.xml if needed
> # In a different browser, login as "babe"
> # Go to qsuob:test:AdminAccess
> # Select checkbox for Barry Windsor
> # Click Remove Selected Members
> h3. Result:
> - Flash status "Success: removed 1 members"
> - Redirected to UiV2Main.indexMain (the home page)
> - Doesn't show change under recent activity (a separate issue?)
> Note that explicitly adding the Update privilege for the user avoids this
> result, and it remains on the group page.
> h3. Analysis
> The source code for UiV2Group.removeMembers has this code which seems to be
> the immediate cause (correlated to the difference in Ajax response between
> wheel and admin):
> {code:java}
> if (!group.hasUpdate(loggedInSubject) ||
> !group.hasRead(loggedInSubject)) {
>
> guiResponseJs.addAction(GuiScreenAction.newScript("guiV2link('operation=UiV2Main.indexMain')"));
> } else {
> filterHelper(request, response, group);
> }
> {code}
> For users with the Admin privilege, privilege management in the UI shows a
> black checkbox for Admin, and also grey checkboxes for all the other
> privileges, including Read and Update. That would imply there is an
> inheritance of these privileges for admin. However,
> group.hasUpdate(loggedInSubject) and group.hasRead(loggedInSubject) are
> false for a user with just the Admin privilege.
> My guess for a fix is to add
> {code:java}
> || !group.hasAdmin(loggedInSubject)
> {code}
> to the conditional above. But there may be nuances in the privilege system
> I'm not aware of.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
- [grouper-users] RE: [JIRA] (GRP-1418) removeMembers redirect to main page for non-wheel user with Admin priv but not update, Hyzer, Chris, 01/17/2017
Archive powered by MHonArc 2.6.19.