Permissions wonky when switching collections

specify / specify6

Source Code for Specify 6, Biological Collections Management Platform

https://specifysoftware.org

GNU General Public License v2.0

14 stars 6 forks source link

Permissions wonky when switching collections #260

Open yvonneekanim opened 5 years ago

yvonneekanim commented 5 years ago

For example, if a user has WB permissions in collection A but not in collection B, the user's WB permissions transfer when switching between A and B depending on which collection was logged into first.

timo11 commented 5 years ago

Permissions are wonky. Are you talking about table permissions or tool permissions? I don't even know why the WB is in the tables section. How is it even possible for a user not to have permissions on the workbench tool? When I add a guest user it has the workbench enabled by default, and the option to enable uploading. But the guests group has both the workbench and uploading enabled by default. (But, no, wait, this is only true for one collection, I CAN change permissions on the workbench tool for users in the other collection in the db!)

I have no idea what happens if a user has permission to a tool but not the tables it depends on.

Anyway if this problem is about tool permissions, they should be reloaded when the collection changes, so the bug might be fixed.

timo11 commented 5 years ago

correction, the fix in 9bc586e only fixes the problem when switching from a collection in which a tool is permitted to a collection where it is denied. After the change the tool will be disabled. However when switching from a collection where the tool is not permitted, and not on the task bar, it will still not be on the task bar after switching to collection for which the tool is permitted.

timo11 commented 5 years ago

This bug is present in 6.6.00. And probably all versions before that because the relevant code has not been changed since pre 6.0 days.

timo11 commented 5 years ago

The partial fix in 9bc586e is still in the repo. Permissions objects are checked for nullness everywhere they are accessed, so it is safe to leave it in. Also, it prevents the most serious part of this issue: Any Tool permissions a user has in the current collection will be removed when it switches to a collection in which it does NOT have them (but maybe not all of them).

yvonneekanim commented 5 years ago

I've tried this with all tools and a few tables and the permissions for a collection still transfer to collections where users don't have permission.