Project

General

Profile

Bug #2998

Morpho uses 'allowFirst' by default when building access control

Added by Chris Jones almost 12 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
morpho - general
Target version:
Start date:
11/06/2007
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
2998

Description

When inserting access control sections into EML documents created by Morpho, Morpho defaults to using a permission order of 'allowFirst' rather than 'denyFirst'. This creates an unintended problem when a deny statement is inserted for public access. For instance, the data-managers group below will be denied access after it has been granted access in the allow statement because it, too, belongs to the 'public' (everyone) group.

<access authSystem="ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org"
order="allowFirst">
<deny>
<principal>public</principal>
<permission>read</permission>
</deny>
<allow>
<principal>cn=data-managers,o=PISCO,dc=ecoinformatics,dc=org</principal>
<permission>all</permission>
</allow>
</access>

If the above had a permission order set to 'denyFirst', public read access would be denied, and then the allow statement would 'punch through' and provide all access to the data-managers group (which is the intention of this access statement).

Morpho should be configured to default to 'denyFirst' when creating acls to avoid this situation.

History

#1 Updated by Jing Tao over 11 years ago

move to 1.7 release

#2 Updated by Jing Tao over 10 years ago

Now it use "denyFirst" for both metadata and data.

#3 Updated by Jing Tao about 10 years ago

move to 1.7

#4 Updated by Redmine Admin over 6 years ago

Original Bugzilla ID was 2998

Also available in: Atom PDF