[opencms-dev] Confirming sub Organizational Unit users/groups permissions bug

Michael Moossen m.moossen at alkacon.com
Fri Feb 15 12:59:12 CET 2008


Hi Oli!

No, this are not the same.

your 'problem' has 2 parts:
 > This user can then see the parent unit and edit all those users.
No, this should not be the case, and i can not reproduce it.

 > This user can also edit admin user and use the "switch user"
 > functionality in order to become the admin user and get access to all
 > areas or CMS.
this works as designed or better said we have not really think about 
this. it is not decided yet if we will do something about this in 7.0.4.

Kind regards,
Michael

-------------------

Alkacon Software GmbH - The OpenCms Experts
Michael Moossen
An der Wachsfabrik 13
50996 Koeln, DE

Besuchen Sie uns auf der CeBIT 2008
Halle 5, Stand F59/3

Tel: +49 (0)2236 3826-0
Fax: +49 (0)2236 3826-20
Email: m.moossen at alkacon.com

http://www.alkacon.com
http://www.opencms.org


Olli Aro wrote:
> Hi Michael,
> 
> Is this the same thing than the following?
> 
> I login to workplace as a user who is a member of sub unit and has account
> management role. This user can then see the parent unit and edit all those
> users. This user can also edit admin user and use the "switch user"
> functionality in order to become the admin user and get access to all areas
> or CMS.
> 
> Or is the above something that can be avoided by more advanced OpenCms
> configuration?
> 
> Regards,
> 
> Olli
> 
> -----Original Message-----
> From: opencms-dev-bounces at opencms.org
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Michael Moossen
> Sent: 14 February 2008 14:45
> To: dammian at melbournebusinessonline.com.au; The OpenCms mailing list
> Subject: [Bulk] Re: [opencms-dev] Confirming sub Organizational Unit
> users/groups permissions bug
> 
> Hi Dammian!
> 
> As said before, i tested this issue with success in the CVS HEAD (soon 
> 7.0.4)
> it would be the best if you could also try this to confirm that
> this issue has been fixed.
> 
> Kind regards,
> Michael
> 
> -------------------
> 
> Alkacon Software GmbH  - The OpenCms Experts
> http://www.alkacon.com - http://www.opencms.org
> 
> Visit us on CeBIT expo in Hannover, Germany
> March 4 to March 9, 2008 - Hall 5 Stand F59/3
> 
> 
> Dammian Miller wrote:
>> I posted the other day regarding this situation in OpenCMS 7.0.2.  After 
>> testing on a vanilla installation of OpenCMS 7.0.3 I have confirmed that 
>> this behaviour is still present.
>>
>>  
>>
>> In short, a user of a sub Organizational Unit (OU) assigned to a group 
>> of said sub-OU is not able to access a resource via the public view of 
>> the site, using http authentication, when their permissions are 
>> explicitly set either at the user or group level to +r+v with overwrite 
>> inheritance enabled where All Others is set to soft deny and overwrite 
>> as well.   *Gasp.  If, however, the user is assigned to the root OU then 
>> the permissions work as expected.
>>
>> To replicate this situation I undertook the following steps:
>>
>> Fresh install OpenCMS 7.0.3 under Tomcat 6.0.14 and MySQL 5.1
>>
>> Admin view ->  create OU 'test'.  Assign its root folder to 
>> /sites/default/ - our test user is simulating users of a sub-OU having 
>> access only to their sub-site or site section
>>
>> Admin view ->  switch to OU /test/
>>
>> Admin view -> users -> new user 'test'  - assign group test/Users 
>> inherits group root/Users
>>
>> Explorer view -> in Offline project root OU create new text file called 
>> test.txt: /sites/default/test.txt.  add some content. 
>>
>> Explorer view -> set permissions on test.txt to 'Overwrite all 
>> permissions', 'All Others' overwrite inherited and un-tick all other 
>> boxes. Set group test/Users overwrite inherited and +r +v.  Can set user 
>> /test/test permissions also to overwrite inherited and +r +v.
>>
>> Publish.
>>
>> View site http://localhost/test.txt (or whatever URL you use for local 
>> testing) from front end using your method of choice - hosts, virtual 
>> hosts, etc
>>
>>  
>>
>> You should get the http browser authentication prompt.  Entering the 
>> test user's login details does not work, with the prompt returning.  If 
>> using a root OU user's login details after setting permissions either 
>> for that user or their root group access works fine as does access for 
>> root Admin.  
>>
>>  
>>
>> Now, at this point I am after feedback to further confirm this behaviour 
>> and also that it is not as it should be in this scenario.  Assuming I 
>> haven't got my wires crossed, any ideas on where, why and how to fix?
>>
>> Any help on this matter is greatly appreciated as this is prohibiting 
>> use of sub-OUs for me at this stage and I can't imagine others could 
>> effectively utilize them with such a vital permissions issue occurring.
>>
>>  
>>
>> Hope I've been clear enough.
>>
>>  
>>
>> A *workaround* I have discovered is to assign the user 'test' to the 
>> root OU, remove all groups assigned then assign the group Users from the 
>> test OU to it.  This seems to work in terms of segregation of groups and 
>> users visible to that user as well as other assets such as image 
>> galleries. - only groups, users and resources within the test OU are 
>> visible to user 'test', even though 'test' is in the root OU.
>>
>>  
>>
>> Thank you all for your help in this matter.
>>
>>  
>>
>>  
>>
>> Regards,
>>
>>  
>>
>> Dammian Miller.
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please visit
>> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev



More information about the opencms-dev mailing list