[opencms-dev] Confirming sub Organizational Unit users/groupspermissions bug

Schliemann, Kai K.Schliemann at comundus.com
Fri Feb 15 09:55:11 CET 2008 

Hi Olli, hi Michael, hi list,

I experienced the same issue a while ago and posted a mesage (http://www.nabble.com/OpenCms-7.0.3%3A-role-%22Account-Manager%22-can-change-Admin-password-to14998248.html#a14998248) about a month ago.
Unfortunately I got no satisfying answer. 

I would be very interested if that "bug" is fixed in the upcoming version 7.0.4.

Regards

Kai

-----Ursprüngliche Nachricht-----
Von: opencms-dev-bounces at opencms.org [mailto:opencms-dev-bounces at opencms.org] Im Auftrag von Olli Aro
Gesendet: Donnerstag, 14. Februar 2008 16:46
An: 'The OpenCms mailing list'
Betreff: Re: [opencms-dev] Confirming sub Organizational Unit users/groupspermissions bug

Hi Michael,

Is this the same thing than the following?

I login to workplace as a user who is a member of sub unit and has account management role. This user can then see the parent unit and edit all those users. This user can also edit admin user and use the "switch user"
functionality in order to become the admin user and get access to all areas or CMS.

Or is the above something that can be avoided by more advanced OpenCms configuration?

Regards,

Olli

-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Michael Moossen
Sent: 14 February 2008 14:45
To: dammian at melbournebusinessonline.com.au; The OpenCms mailing list
Subject: [Bulk] Re: [opencms-dev] Confirming sub Organizational Unit users/groups permissions bug

Hi Dammian!

As said before, i tested this issue with success in the CVS HEAD (soon
7.0.4)
it would be the best if you could also try this to confirm that this issue has been fixed.

Kind regards,
Michael

-------------------

Alkacon Software GmbH  - The OpenCms Experts http://www.alkacon.com - http://www.opencms.org

Visit us on CeBIT expo in Hannover, Germany March 4 to March 9, 2008 - Hall 5 Stand F59/3


Dammian Miller wrote:
> I posted the other day regarding this situation in OpenCMS 7.0.2.  
> After testing on a vanilla installation of OpenCMS 7.0.3 I have 
> confirmed that this behaviour is still present.
> 
>  
> 
> In short, a user of a sub Organizational Unit (OU) assigned to a group 
> of said sub-OU is not able to access a resource via the public view of 
> the site, using http authentication, when their permissions are 
> explicitly set either at the user or group level to +r+v with 
> overwrite inheritance enabled where All Others is set to soft deny and overwrite
> as well.   *Gasp.  If, however, the user is assigned to the root OU then 
> the permissions work as expected.
> 
> To replicate this situation I undertook the following steps:
> 
> Fresh install OpenCMS 7.0.3 under Tomcat 6.0.14 and MySQL 5.1
> 
> Admin view ->  create OU 'test'.  Assign its root folder to 
> /sites/default/ - our test user is simulating users of a sub-OU having 
> access only to their sub-site or site section
> 
> Admin view ->  switch to OU /test/
> 
> Admin view -> users -> new user 'test'  - assign group test/Users 
> inherits group root/Users
> 
> Explorer view -> in Offline project root OU create new text file 
> called
> test.txt: /sites/default/test.txt.  add some content. 
> 
> Explorer view -> set permissions on test.txt to 'Overwrite all 
> permissions', 'All Others' overwrite inherited and un-tick all other 
> boxes. Set group test/Users overwrite inherited and +r +v.  Can set 
> user /test/test permissions also to overwrite inherited and +r +v.
> 
> Publish.
> 
> View site http://localhost/test.txt (or whatever URL you use for local
> testing) from front end using your method of choice - hosts, virtual 
> hosts, etc
> 
>  
> 
> You should get the http browser authentication prompt.  Entering the 
> test user's login details does not work, with the prompt returning.  
> If using a root OU user's login details after setting permissions 
> either for that user or their root group access works fine as does 
> access for root Admin.
> 
>  
> 
> Now, at this point I am after feedback to further confirm this 
> behaviour and also that it is not as it should be in this scenario.  
> Assuming I haven't got my wires crossed, any ideas on where, why and how to fix?
> 
> Any help on this matter is greatly appreciated as this is prohibiting 
> use of sub-OUs for me at this stage and I can't imagine others could 
> effectively utilize them with such a vital permissions issue occurring.
> 
>  
> 
> Hope I've been clear enough.
> 
>  
> 
> A *workaround* I have discovered is to assign the user 'test' to the 
> root OU, remove all groups assigned then assign the group Users from 
> the test OU to it.  This seems to work in terms of segregation of 
> groups and users visible to that user as well as other assets such as 
> image galleries. - only groups, users and resources within the test OU 
> are visible to user 'test', even though 'test' is in the root OU.
> 
>  
> 
> Thank you all for your help in this matter.
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> Dammian Miller.
> 
> 
> ----------------------------------------------------------------------
> --
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list To change 
> your list options, or to unsubscribe from the list, please visit 
> http://lists.opencms.org/mailman/listinfo/opencms-dev

_______________________________________________
This mail is sent to you from the opencms-dev mailing list To change your list options, or to unsubscribe from the list, please visit http://lists.opencms.org/mailman/listinfo/opencms-dev


_______________________________________________
This mail is sent to you from the opencms-dev mailing list To change your list options, or to unsubscribe from the list, please visit http://lists.opencms.org/mailman/listinfo/opencms-dev

More information about the opencms-dev mailing list