[opencms-dev] Confirming sub Organizational Unit users/groups permissions bug

Thu Feb 14 15:45:03 CET 2008

Hi Dammian!

As said before, i tested this issue with success in the CVS HEAD (soon 
7.0.4)
it would be the best if you could also try this to confirm that
this issue has been fixed.

Kind regards,
Michael

-------------------

Alkacon Software GmbH  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

Visit us on CeBIT expo in Hannover, Germany
March 4 to March 9, 2008 - Hall 5 Stand F59/3

Dammian Miller wrote:
> I posted the other day regarding this situation in OpenCMS 7.0.2.  After 
> testing on a vanilla installation of OpenCMS 7.0.3 I have confirmed that 
> this behaviour is still present.
> 
>  
> 
> In short, a user of a sub Organizational Unit (OU) assigned to a group 
> of said sub-OU is not able to access a resource via the public view of 
> the site, using http authentication, when their permissions are 
> explicitly set either at the user or group level to +r+v with overwrite 
> inheritance enabled where All Others is set to soft deny and overwrite 
> as well.   *Gasp.  If, however, the user is assigned to the root OU then 
> the permissions work as expected.
> 
> To replicate this situation I undertook the following steps:
> 
> Fresh install OpenCMS 7.0.3 under Tomcat 6.0.14 and MySQL 5.1
> 
> Admin view ->  create OU ‘test’.  Assign its root folder to 
> /sites/default/ - our test user is simulating users of a sub-OU having 
> access only to their sub-site or site section
> 
> Admin view ->  switch to OU /test/
> 
> Admin view -> users -> new user ‘test’  - assign group test/Users 
> inherits group root/Users
> 
> Explorer view -> in Offline project root OU create new text file called 
> test.txt: /sites/default/test.txt.  add some content. 
> 
> Explorer view -> set permissions on test.txt to ‘Overwrite all 
> permissions’, ‘All Others’ overwrite inherited and un-tick all other 
> boxes. Set group test/Users overwrite inherited and +r +v.  Can set user 
> /test/test permissions also to overwrite inherited and +r +v.
> 
> Publish.
> 
> View site http://localhost/test.txt (or whatever URL you use for local 
> testing) from front end using your method of choice - hosts, virtual 
> hosts, etc
> 
>  
> 
> You should get the http browser authentication prompt.  Entering the 
> test user’s login details does not work, with the prompt returning.  If 
> using a root OU user’s login details after setting permissions either 
> for that user or their root group access works fine as does access for 
> root Admin.  
> 
>  
> 
> Now, at this point I am after feedback to further confirm this behaviour 
> and also that it is not as it should be in this scenario.  Assuming I 
> haven’t got my wires crossed, any ideas on where, why and how to fix?
> 
> Any help on this matter is greatly appreciated as this is prohibiting 
> use of sub-OUs for me at this stage and I can’t imagine others could 
> effectively utilize them with such a vital permissions issue occurring.
> 
>  
> 
> Hope I’ve been clear enough.
> 
>  
> 
> A *workaround* I have discovered is to assign the user ‘test’ to the 
> root OU, remove all groups assigned then assign the group Users from the 
> test OU to it.  This seems to work in terms of segregation of groups and 
> users visible to that user as well as other assets such as image 
> galleries. – only groups, users and resources within the test OU are 
> visible to user ‘test’, even though ‘test’ is in the root OU.
> 
>  
> 
> Thank you all for your help in this matter.
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> Dammian Miller.
> 
> 
> ------------------------------------------------------------------------
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev