Closed mbjones closed 6 years ago
Original Redmine Comment Author Name: Jim Regetz (Jim Regetz) Original Date: 2010-02-26T19:24:07Z
FYI, this is more than just a esa-moderators permission issue. Here is another case:
Currently on esa-dev, document esa.62 was originally created by daigle-test32, and apparently user 'test' was given all access rights after the fact. The access rules are:
ALLOW: [all] uid=test,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [all] cn=knb-prod,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [all] cn=esa-moderators,dc=ecoinformatics,dc=org ALLOW: [all] uid=daigle,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [read] [write] uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org
However, when logging in as 'test', clicking My Submissions (which shows this document), and then clicking the Edit button for esa.62, the following error is reported:
Failure An error occurred. Please check the list of errors below:
* You don't have permission to edit this document, which is owned by uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org. (Access Error #3)
Perhaps the registry is not allowing anyone other than the owner to modify a document, regardless of other permissions? Is this a feature or a bug? In contrast, if I point Morpho at esa-dev and log in as 'test', I can successfully open this document, edit it, and save the changes back to the network.
Original Redmine Comment Author Name: Michael Daigle (Michael Daigle) Original Date: 2010-02-26T23:00:10Z
Fix in 1.9.2.
All rules in the doc should apply.
Original Redmine Comment Author Name: Michael Daigle (Michael Daigle) Original Date: 2010-03-03T23:54:10Z
added the group information to the return xml for the metacat api getloggedinuserinfo call. Use that information to check whether the user's groups are principal, moderator or esa-admin. Here is the overall logic:
-- Check if the principal is 'public' and the permission is not 'read' then this document could not have been created in the registry so reject it -- Check if the principal is the admin and permission is not 'all' then this document could not have been created in the registry so reject it
-- Check if user matches principal. If so, user is authorized -- Check if the user is a moderator or admin. If so, user is authorized -- Check if any of this user's groups matches the principal. If so, user is authorized -- Check if any of this user's groups is an admin or moderator. If so, user is authorized -- Otherwise, user is not authorized.
Original Redmine Comment Author Name: Redmine Admin (Redmine Admin) Original Date: 2013-03-27T21:28:17Z
Original Bugzilla ID was 4837
Author Name: Jim Regetz (Jim Regetz) Original Redmine Issue: 4837, https://projects.ecoinformatics.org/ecoinfo/issues/4837 Original Date: 2010-02-24 Original Assignee: Michael Daigle
The "Revise document" notification emailed to moderators currently contains a URL that looks something like this:
http://esa-dev.nceas.ucsb.edu/esa/cgi-bin/register-dataset.cgi?stage=modify&cfg=esa&docid=esa.65
If already logged in as a moderator (and not the owner of this document), clicking this link produces the following:
Failure An error occurred. Please check the list of errors below:
ESA moderators, i.e. members of cn=esa-moderators,dc=ecoinformatics,dc=org, should have ALL permissions by default, so presumably they should be able to modify this document (and there may be times when they need to be able to do so).