Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

fixed in 2.3.0 ui patch #19

-----Original Message-----
From: Chad Redman (JIRA) 
[mailto:]
 
Sent: Wednesday, February 01, 2017 10:10 AM
To: Hyzer, Chris 
<>
Subject: [JIRA] (GRP-1480) users with admin priv can't remove group via 
subject page

Chad Redman created GRP-1480:
--------------------------------

             Summary: users with admin priv can't remove group via subject 
page
                 Key: GRP-1480
                 URL: https://bugs.internet2.edu/jira/browse/GRP-1480
             Project: Grouper
          Issue Type: Bug
          Components: UI
    Affects Versions: 2.4.0, 2.3.0.patch
            Reporter: Chad Redman
            Assignee: Chris Hyzer


When a non-wheel user, with admin privileges but no explicit update privilege 
on a group, tries to remove that group via a subject page, using the 
checkboxes and the "Remove selected groups" button, the error is flashed:

{color:green}Error: group has errors removing 1 members, and successfully 
removed 1 members{color}

This looks like it just needs a change in UiV2Subject.removeGroups, with a 
group.hasUpdate(loggedInSubject) changed to a 
group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), 
false). That fixed it for me when testing locally. There is another usage of 
hasUpdate in removeGroup, but I didn't test that one.

The "successfully removed 1 members" on an error is also a bug, since it 
wasn't an actual success. I think the successes++ line should be moved to the 
inner block, right after group.deleteMember() is called.

h3. Steps to reproduce (unicon grouper-demo Docker image -- I used tag 
2.3.0-2017-01-30):

1) As user banderson/password, log into http://192.168.99.100:8080/grouper
2) Add adoe as an admin of group courses:ACCT101
3) In a separate browser, log in as adoe/password
3) search user "asmith" and open the subject page
4) check checkbox for group ACCT101
5) Click Remove selected groups

Result: Error: group has errors removing 1 members, and successfully removed 
1 members

h3. Potential patch:

{code:java}
--- 
a/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
+++ 
b/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
@@ -805,7 +805,7 @@ public class UiV2Subject {

             @Override
             public Object callback(GrouperSession grouperSession) throws 
GrouperSessionException {
-              if (group.hasUpdate(loggedInSubject)) {
+              if (group.canHavePrivilege(loggedInSubject, 
AccessPrivilege.UPDATE.getName(), false)) {
                 return true;
               }
               return false;
@@ -816,9 +816,9 @@ public class UiV2Subject {
             failures++;
           } else {
             group.deleteMember(membership.getMember(), false);
+            successes++;
           }

-          successes++;
         } catch (Exception e) {
           LOG.warn("Error with membership: " + membershipId + ", user: " + 
loggedInSubject, e);
           failures++;
{code}




--
This message was sent by Atlassian JIRA
(v7.2.6#72008)