#267 better layout when all roles granted in setup.

v1.3.0
closed
nobody
None
5
2016-08-09
2013-01-08
No

There were a test user with enabled all of the existing rules.
When I revoke the employees_manage and users_manage for user called test, I expected that the user test has no access to these menu elements or runs these forms.
Now I can see, the user has still access for these forms and can modify other users' role.

Discussion

  • Pongracz Istvan

    Pongracz Istvan - 2013-01-08
    • summary: User Rules does not respected? --> User Roles does not respected?
     
  • Chris Travers

    Chris Travers - 2013-01-09

    This doesn't sound right. Can we get together over skype to triage this and see what;s going on?

     
  • Chris Travers

    Chris Travers - 2013-01-09
    • priority: 5 --> 7
    • assigned_to: nobody --> einhverfr
    • labels: 887559 -->
    • milestone: 2085417 -->
     
  • Chris Travers

    Chris Travers - 2013-01-09

    on 1.4, I am getting this: ERROR: Cannot grant permissions to a non-existant user. More information has been reported in the error logs at LedgerSMB.pm line 982.

     
  • Chris Travers

    Chris Travers - 2013-01-10

    I will follow up on skype with you on this. I have been able to reproduce this issue in one specific case which involves efforts beyond the application. In other words:

    If I tamper with the user by making the user a db superuser, the role permissions are ignored (by PostgreSQL) because superusers by definition are granted permissions of all other roles.

     
  • Chris Travers

    Chris Travers - 2013-01-10

    The issue was that the user was in fact also a system administrator and so also had indirect access. In the long run we need a better layout here and should probably restrict "all roles" grants to roles ending in "all" or something.

     
  • Chris Travers

    Chris Travers - 2013-01-10
    • priority: 7 --> 5
    • summary: User Roles does not respected? --> better layout when all roles granted in setup.
     
  • Chris Travers

    Chris Travers - 2013-01-10
    • assigned_to: einhverfr --> nobody
     
  • Chris Travers

    Chris Travers - 2016-08-09
    • status: open --> closed
    • Group: --> v1.3.0
     
  • Chris Travers

    Chris Travers - 2016-08-09

    If we want to discuss fixes for this issue, let's open a new ticket on github. The problem here is that these are just group roles and that in SQL role permissions are additive. So the user has both group membership and indepndently is also granted access to everything else.

    The real problem here is that the situation is confusing, but I am not really sure what should be done about it.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks