search

NCEAS / metacat

Data repository software that helps researchers preserve, share, and discover data
https://knb.ecoinformatics.org/software/metacat
GNU General Public License v2.0
25 stars 12 forks source link

Permission error when ESA moderator attempts to modify a document #733

Closed mbjones closed 6 years ago

mbjones commented 6 years ago

Author Name: Jim Regetz (Jim Regetz) Original Redmine Issue: 4837, https://projects.ecoinformatics.org/ecoinfo/issues/4837 Original Date: 2010-02-24 Original Assignee: Michael Daigle

The "Revise document" notification emailed to moderators currently contains a URL that looks something like this:

http://esa-dev.nceas.ucsb.edu/esa/cgi-bin/register-dataset.cgi?stage=modify&cfg=esa&docid=esa.65

If already logged in as a moderator (and not the owner of this document), clicking this link produces the following:

Failure An error occurred. Please check the list of errors below:

* You don't have permission to edit this document, which is owned by uid=test,o=NCEAS,dc=ecoinformatics,dc=org. (Access Error #3)

ESA moderators, i.e. members of cn=esa-moderators,dc=ecoinformatics,dc=org, should have ALL permissions by default, so presumably they should be able to modify this document (and there may be times when they need to be able to do so).

mbjones commented 6 years ago

Original Redmine Comment Author Name: Jim Regetz (Jim Regetz) Original Date: 2010-02-26T19:24:07Z

FYI, this is more than just a esa-moderators permission issue. Here is another case:

Currently on esa-dev, document esa.62 was originally created by daigle-test32, and apparently user 'test' was given all access rights after the fact. The access rules are:

ALLOW: [all] uid=test,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [all] cn=knb-prod,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [all] cn=esa-moderators,dc=ecoinformatics,dc=org ALLOW: [all] uid=daigle,o=NCEAS,dc=ecoinformatics,dc=org ALLOW: [read] [write] uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org

However, when logging in as 'test', clicking My Submissions (which shows this document), and then clicking the Edit button for esa.62, the following error is reported:

Failure An error occurred. Please check the list of errors below:

* You don't have permission to edit this document, which is owned by uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org. (Access Error #3)

Perhaps the registry is not allowing anyone other than the owner to modify a document, regardless of other permissions? Is this a feature or a bug? In contrast, if I point Morpho at esa-dev and log in as 'test', I can successfully open this document, edit it, and save the changes back to the network.

mbjones commented 6 years ago

Original Redmine Comment Author Name: Michael Daigle (Michael Daigle) Original Date: 2010-02-26T23:00:10Z

Fix in 1.9.2.

All rules in the doc should apply.

mbjones commented 6 years ago

Original Redmine Comment Author Name: Michael Daigle (Michael Daigle) Original Date: 2010-03-03T23:54:10Z

added the group information to the return xml for the metacat api getloggedinuserinfo call. Use that information to check whether the user's groups are principal, moderator or esa-admin. Here is the overall logic:

-- Check if the principal is 'public' and the permission is not 'read' then this document could not have been created in the registry so reject it -- Check if the principal is the admin and permission is not 'all' then this document could not have been created in the registry so reject it

-- Check if user matches principal. If so, user is authorized -- Check if the user is a moderator or admin. If so, user is authorized -- Check if any of this user's groups matches the principal. If so, user is authorized -- Check if any of this user's groups is an admin or moderator. If so, user is authorized -- Otherwise, user is not authorized.

mbjones commented 6 years ago

Original Redmine Comment Author Name: Redmine Admin (Redmine Admin) Original Date: 2013-03-27T21:28:17Z

Original Bugzilla ID was 4837