+job/sumset unusable on PennMUSH; attribute premissions

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create a job in the TPS bucket
2. +job/sumset #/PLAYERS=Foo

What is the expected output?
JOBS: Job #/PLAYERS summary setting has been modified by ...

What do you see instead?
You either can not use the +job/sumset command, or set that parameter.

Please use labels and text to provide additional information.
This issue discovered on PennMUSH. I haven't checked whether the same issue 
exists on other servers.

The +job/sumset command checks whether you have permission to change a 
parameter FOO by evaluating the ACCESS_FOO attribute on the job, which is 
inherited from its parent.  Jobs do not have powers; and if the parent (bucket) 
access is a function (e.g., u(%va/STAFFALL), etc.) the unpowered job does not 
have permission to get/evaluate the attribute.

Possible solutions: 
1. Bucket access checks could be changed to directly check the permissions 
involved (e.g., orflags(), etc.) that do not require permissioned evaluation.  
(This is an appropriate workaround until it's resolved.)

2. The STAFFALL and WIZONLY checks could be made evaluatable (on PennMUSH, set 
them "visual" and "public".)  This is dangerous and should be avoided from a 
security standpoint.

3. The /sumset check could simply check the ACCESS_FOO attribute on the bucket 
rather than the job. The bucket has appropriate powers to evaluate.  (This is 
probably the best solution.)

Original issue reported on code.google.com by widdis@gmail.com on 17 Feb 2011 at 5:39

[GoogleCodeExporter]

Works on MUX.

Original comment by Fleety...@gmail.com on 20 Feb 2011 at 8:17

[GoogleCodeExporter]

The MUX is running 6.0, I'm not sure if that matters or not.

Original comment by Fleety...@gmail.com on 20 Feb 2011 at 2:13

[GoogleCodeExporter]

So after testing this is definitely only a Penn issue, part of the fact that 
INHERIT/TRUST doesn't work on Penn the same way it does on the other servers.

I'm leaning to solution 3 above, checking access permissions on the bucket 
rather than the job. I think that's how it's always been documented, even if 
it's not how it's been done.  Objections?

Original comment by widdis@gmail.com on 24 Feb 2011 at 4:46

• Changed title: +job/sumset unusable on PennMUSH; attribute premissions

[GoogleCodeExporter]

I have no objections. I don't see why it's calling from the job.

Original comment by Fleety...@gmail.com on 6 Mar 2011 at 9:14

• Changed state: Accepted

[GoogleCodeExporter]

+jhelp sumsetting clearly documents that the *_ACCESS settings should be on the 
bucket, and not on the job or job parent object. So I'll proceed with solution 
3.

  Summary settings should only be set on the bucket, and not the parent. If
  set on the parent, then it becomes a bucket setting and /sumset will not
  function on it (though +bucket/set will pick it up, as both formats are
  identical).

Original comment by widdis@gmail.com on 8 Mar 2011 at 12:16

• Changed state: Started

[GoogleCodeExporter]

Fixed in r404. Did not only *_ACCESS but *_PROCESS too and +myjob equivalents.  
The lattr() later in the commands was already calling the parent so this 
actually brings the checks into line consistent with the apparent intent.

Original comment by widdis@gmail.com on 8 Mar 2011 at 12:42

• Changed state: Fixed