search

docdoku / docdoku-plm

The project purpose is to develop a comprehensive, robust open source PLM (Product LifeCycle Management) solution.
http://www.docdokuplm.com
GNU Affero General Public License v3.0
241 stars 98 forks source link

Error while updating access rights for documents #349

Open chadidas opened 9 years ago

chadidas commented 9 years ago

create new document select the document and click on the button of acess right management update rights of other users click on save => Error on update ACL

server logs: Vous, demo, n'avez pas les droits suffisants pour faire cette operation at com.docdoku.server.DocumentManagerBean.checkDocumentRevisionWriteAccess(DocumentManagerBean.java:1474) at com.docdoku.server.DocumentManagerBean.updateDocumentACL(DocumentManagerBean.java:294) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1081) at org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1153) at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4695) at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:630) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:46) at sun.reflect.GeneratedMethodAccessor90.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)

TaylorHub commented 9 years ago

Only document owner or workspace administrator can edit a document ACL. (same for part) We should hide the button if the document ACL cann't be modify.

mguimard commented 9 years ago

It seems that there's still a bug.

Scenario :

Create a user A. Set him in a group with write access. User A creates a document. Downgrade the group's access rights to read only. Give A rights access with ACL on the document. A can revoke those ACLs (ok behavior) A still can edit ACLs (he shouldn't)