[opencms-dev] Confirming sub Organizational Unit users/groups permissions bug

Dammian Miller dammian at melbournebusinessonline.com.au
Thu Feb 14 15:36:14 CET 2008


I posted the other day regarding this situation in OpenCMS 7.0.2.  After
testing on a vanilla installation of OpenCMS 7.0.3 I have confirmed that
this behaviour is still present.

 

In short, a user of a sub Organizational Unit (OU) assigned to a group of
said sub-OU is not able to access a resource via the public view of the
site, using http authentication, when their permissions are explicitly set
either at the user or group level to +r+v with overwrite inheritance enabled
where All Others is set to soft deny and overwrite as well.   *Gasp.  If,
however, the user is assigned to the root OU then the permissions work as
expected.

To replicate this situation I undertook the following steps:

Fresh install OpenCMS 7.0.3 under Tomcat 6.0.14 and MySQL 5.1

Admin view ->  create OU 'test'.  Assign its root folder to /sites/default/
- our test user is simulating users of a sub-OU having access only to their
sub-site or site section

Admin view ->  switch to OU /test/

Admin view -> users -> new user 'test'  - assign group test/Users inherits
group root/Users

Explorer view -> in Offline project root OU create new text file called
test.txt: /sites/default/test.txt.  add some content.  

Explorer view -> set permissions on test.txt to 'Overwrite all permissions',
'All Others' overwrite inherited and un-tick all other boxes. Set group
test/Users overwrite inherited and +r +v.  Can set user /test/test
permissions also to overwrite inherited and +r +v.

Publish.

View site http://localhost/test.txt (or whatever URL you use for local
testing) from front end using your method of choice - hosts, virtual hosts,
etc

 

You should get the http browser authentication prompt.  Entering the test
user's login details does not work, with the prompt returning.  If using a
root OU user's login details after setting permissions either for that user
or their root group access works fine as does access for root Admin.  

 

Now, at this point I am after feedback to further confirm this behaviour and
also that it is not as it should be in this scenario.  Assuming I haven't
got my wires crossed, any ideas on where, why and how to fix?

Any help on this matter is greatly appreciated as this is prohibiting use of
sub-OUs for me at this stage and I can't imagine others could effectively
utilize them with such a vital permissions issue occurring.

 

Hope I've been clear enough.

 

A workaround I have discovered is to assign the user 'test' to the root OU,
remove all groups assigned then assign the group Users from the test OU to
it.  This seems to work in terms of segregation of groups and users visible
to that user as well as other assets such as image galleries. - only groups,
users and resources within the test OU are visible to user 'test', even
though 'test' is in the root OU.

 

Thank you all for your help in this matter.

 

 

Regards,

 

Dammian Miller.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20080215/75ca7e63/attachment.htm>


More information about the opencms-dev mailing list