Project

General

Profile

bug #7390

possible permission clash when adding basionym

Added by Andreas Kohlbecker 7 months ago. Updated 7 months ago.

Status:
Duplicate
Priority:
New
Category:
cdmlib
Target version:
Start date:
04/30/2018
Due date:
% Done:

0%

Severity:
normal
Found in Version:
Tags:

Description

When a user is only having per entity grants to UPDATE TaxonNames adding a basionym to a taxonname may fail:

  • TaxonName "Beta exemplaris" for which the user has the UPDATE authority
  • TaxonName "Alpha exemplaris" for which the user is not having the update permission.

Adding "Alpha exemplaris" as basionym to "Beta exemplaris" will fail in this situation during the hibernate session flush since the new basionym name relationships will be added to both of the taxon names. This operation should be possible, though. The scientific name at the from-side (that is the basionym) of the name relation is not altered by using it as a basionym for another name.

The same issue exists also replaced synonym relations!

Possible solutions:

  • General solution:
    • Skip the permission check for name relations at the from-side for basionym and replaced-synonym relations. How about other relations? (This can be reached e.g. by removing the according Cascade)
    • Introduce a new permission concept like privileged access for updates: priviledged update? (see SAP)
  • Application specific: Temporarily grant the UPDATE authority to the user performing the operations in the client application. Grant before flushing the session and remove the grant afterwards. Use a try-catch-finally clause where the withdrawal of the temporary permission is done in the finally clause. --> #7391

see also WorkshopRightsAndRoles2017-11


Related issues

Related to Edit - bug #7391: grant UPDATE for taxonnames temporarily when using a name as basionym Rejected 04/30/2018
Related to Edit - bug #7392: Remove Cascade from relations Closed 04/30/2018

History

#1 Updated by Andreas Kohlbecker 7 months ago

  • Related to bug #7391: grant UPDATE for taxonnames temporarily when using a name as basionym added

#2 Updated by Andreas Kohlbecker 7 months ago

  • Tags changed from phycobank to permission

#3 Updated by Andreas Kohlbecker 7 months ago

  • Description updated (diff)

#4 Updated by Andreas Müller 7 months ago

  • Status changed from New to In Progress
  • Target version changed from Unassigned CDM tickets to Release 5.0

I think we should first check if removing Cascade from RelationBase.from and RelationBase.to may solve the problem. This is something we are planning anyway to improve performance.
Only we need to check if some explicit saves need to be handled within running applications (TaxEditor, VaadinEditor, imports, ...). First expectation is that only imports may need to be adapted at some points.

#5 Updated by Andreas Müller 7 months ago

  • Description updated (diff)

Andreas Müller wrote:

I think we should first check if removing Cascade from RelationBase.from and RelationBase.to may solve the problem. This is something we are planning anyway to improve performance.

This actually is equivalent with the "general solution"

#6 Updated by Andreas Kohlbecker 7 months ago

  • Description updated (diff)

#7 Updated by Andreas Kohlbecker 7 months ago

  • Description updated (diff)

#8 Updated by Andreas Kohlbecker 7 months ago

I did some further examination of an concrete example for this issue. The problem actually only occurs when adding a second basionym to a name B which already is having a basionym A where the basionym A is already being used as basionym for a name C. In this case the
PermissionDeniedException is thrown when the second basionym has been added to A.

#9 Updated by Andreas Müller 7 months ago

  • Related to bug #7392: Remove Cascade from relations added

#10 Updated by Andreas Kohlbecker 7 months ago

  • Status changed from In Progress to Duplicate

This issue has been clearly solved by fixing #7392, so we can consider this issue being a duplicate of #7392.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)