Project

General

Profile

Bug #4451

Permissions granted cannot seem to be revokable

Added by Sandeep Namilikonda almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Category:
dataserver
Target version:
Start date:
10/14/2009
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
4451

Description

Two types of permissions can be set via Morpho interface
a) Under Documentation -> Access information

This option allows user to grant access to the assessment items.
So, this would enable a user to view assessment items on the
website.

b) Under Data -> Edit data access

This option is used to grant permission to download student
score and response data.

Test case 1: Permission granted to a single user to view assessment items only

- The user could successfully view the assessment items on the 
website. Further, the user could also download the student data,
which should not have been the case.

Test case 2: Permission revoked by explicitly choosing the user's name
from the drop down list and opting to "deny" access

- The user was still able to view as well as download assessment

Test case 3: Permission granted to a group (FIRST group)

- All the auhtorized members of FIRST group were able to access
the assessment.
- Similar to Test case 2, revoking the access does not seem to
affect the user's ability to view and download assessment!

Test case 4: Public and private access seems appropriately functional

- Once public access is granted for an assessment, it remains
that way even if we explicitly change the access rights to private.

PS: The above trials were run on "Permission Test 1"

History

#1 Updated by ben leinfelder almost 10 years ago

I see that we were using a more "generous" permissions mode in metacat where we process all of the "deny" rules first before processing the "allow" rules. I've switched all the permission records in the fred database to use the more strict "allowFirst" method so that deny rules should be upheld.

I've also changed this in the Morpho client code so that changes to access rights made in the future will use the "allowFirst" mode. But this means cutting another Morpho installer from the latest source.

Depending on the last permission you set on "Permission Test 1" you may or may not be able to check if you actually revoked permission.

If you'd like, I can clear all permissions that have been set on all documents and we can start from scratch. Only the owner (original person who uploaded the assessment) will be able to read/write/set permissions at that point but it gives you a clean slate for testing permission granting once the new Morpho is built.

Please let me know how you'd like to proceed

#2 Updated by ben leinfelder almost 10 years ago

putting the new Metacat code through some development testing.
found a few issues - working with Mike to resolve.

#3 Updated by ben leinfelder almost 10 years ago

we're still running a few test on the Metacat side of things.
I feel good about the Morpho side - enough so that I think you could build another installer and try a few operations out. I have not cleared the access rules yet. But that is a very quick operation (and getting them back is not).

#4 Updated by ben leinfelder almost 10 years ago

It sounds like this is resolved now (Jay's testing results would indicate such)

#6 Updated by Redmine Admin over 6 years ago

Original Bugzilla ID was 4451

Also available in: Atom PDF