Bug #4837
closedPermission error when ESA moderator attempts to modify a document
0%
Description
The "Revise document" notification emailed to moderators currently contains a URL that looks something like this:
http://esa-dev.nceas.ucsb.edu/esa/cgi-bin/register-dataset.cgi?stage=modify&cfg=esa&docid=esa.65
If already logged in as a moderator (and not the owner of this document), clicking this link produces the following:
---------------------------
Failure
An error occurred. Please check the list of errors below:
- You don't have permission to edit this document, which is owned by uid=test,o=NCEAS,dc=ecoinformatics,dc=org. (Access Error #3)
---------------------------
ESA moderators, i.e. members of cn=esa-moderators,dc=ecoinformatics,dc=org, should have ALL permissions by default, so presumably they should be able to modify this document (and there may be times when they need to be able to do so).
Updated by Jim Regetz over 14 years ago
FYI, this is more than just a esa-moderators permission issue. Here is another case:
Currently on esa-dev, document esa.62 was originally created by daigle-test32, and apparently user 'test' was given all access rights after the fact. The access rules are:
ALLOW: [all] uid=test,o=NCEAS,dc=ecoinformatics,dc=org
ALLOW: [all] cn=knb-prod,o=NCEAS,dc=ecoinformatics,dc=org
ALLOW: [all] cn=esa-moderators,dc=ecoinformatics,dc=org
ALLOW: [all] uid=daigle,o=NCEAS,dc=ecoinformatics,dc=org
ALLOW: [read] [write] uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org
However, when logging in as 'test', clicking My Submissions (which shows this document), and then clicking the Edit button for esa.62, the following error is reported:
---------------------------
Failure
An error occurred. Please check the list of errors below:
- You don't have permission to edit this document, which is owned by uid=daigle-test32,o=unaffiliated,dc=ecoinformatics,dc=org. (Access Error #3)
---------------------------
Perhaps the registry is not allowing anyone other than the owner to modify a document, regardless of other permissions? Is this a feature or a bug? In contrast, if I point Morpho at esa-dev and log in as 'test', I can successfully open this document, edit it, and save the changes back to the network.
Updated by Michael Daigle over 14 years ago
Fix in 1.9.2.
All rules in the doc should apply.
Updated by Michael Daigle over 14 years ago
added the group information to the return xml for the metacat api getloggedinuserinfo call. Use that information to check whether the user's groups are principal, moderator or esa-admin. Here is the overall logic:
-- Check if the principal is 'public' and the permission is not 'read' then this document could not have been created in the registry so reject it
-- Check if the principal is the admin and permission is not 'all' then this document could not have been created in the registry so reject it
-- Check if user matches principal. If so, user is authorized
-- Check if the user is a moderator or admin. If so, user is authorized
-- Check if any of this user's groups matches the principal. If so, user is authorized
-- Check if any of this user's groups is an admin or moderator. If so, user is authorized
-- Otherwise, user is not authorized.