Project

General

Profile

bug #7531

PermissionDeniedException on flushing registration with modified status even if the user has the required authority

Added by Andreas Kohlbecker 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Highest
Category:
cdmlib
Target version:
Start date:
07/04/2018
Due date:
% Done:

50%

Severity:
critical
Found in Version:

Description

User with the Grantedauthority REGISTRATION(PREPARATION).[UPDATE]{06649467-7c4f-4b8b-98e6-395e4d3af240} changes the status of the Registration (uuid=06649467-7c4f-4b8b-98e6-395e4d3af240) from PREPARATION to CURATION. Saving the moidifcation to the storage fails with a PermissionDeniedException.

This happens because the RegistrationVoter only sees the updates RegistrationStatus not the old one.

Potential solution:

1)

The parameters Object[] previousState, String[] propertyNames available in the interceptor methods (CdmSecurityHibernateInterceptor) these must also be passed to PermissionVoters in general, particularity to the furtherVotingDecission() method.

  • This makes the authorization implementation more complex but would also offer more degrees of freedom.

2)

The Submitter is granted with REGISTRATION(PREPARATION,CURATION).[UPDATE]{06649467-7c4f-4b8b-98e6-395e4d3af240}.

  • The Submitter would be enabled to save the state transition PREPARATION -> CURATION.
  • Drawback: But this brings the drawback that the user would be able to modify the registration when it passed to the curation, be e.g adding typeDesignations. This problem could be avoided by revoking this permission when the status changes by e.g. the GrantedAuthorityRevokingRegistrationUpdateLister (see #7148)

3)

The Submitter is granted with REGISTRATION.[UPDATE]{06649467-7c4f-4b8b-98e6-395e4d3af240}.

  • Drawback: But this brings the drawback that the user would be able to modifiy registrations in any status This problem must be reliably avoided by revoking this permission when the status changes by e.g. the GrantedAuthorityRevokingRegistrationUpdateLister (see #7148)

4)

The RegistrationStatus change is performed by special service bean which does it on behalf of the user. The submitter would trigger sending a event to this service bean to request for the status change. The service bean in turn checks the permissions of the requester and would then execute the status change in a runAs environment as SYSTEM_USER.

  • Drawback: The updated by would not mention the submitter.

Related issues

Related to Edit - bug #7528: Allow changing the Registration status in the RegistrationWorkingsetEditor Closed 08/03/2018
Related to Edit - feature request #7148: GrantedAuthorityRevokingRegistrationUpdateLister: delete orphan references to GrantedAuthorityImpl in User and Group Closed 12/21/2017

Associated revisions

Revision 72ce5ca1 (diff)
Added by Andreas Kohlbecker 5 months ago

ref #7531 intoducing TargetEntityStates to replace plain cdm enities in the permission voting process

Revision 56e9117c (diff)
Added by Andreas Kohlbecker 5 months ago

ref #7531 RegistrationVoter evaluates previous state on Registration.status changes

Revision 8f51ee96 (diff)
Added by Andreas Kohlbecker 5 months ago

ref #7531 CdmPermissionEvaluator.hasPermission() wraps cdm entities in TargetEntityStates

History

#1 Updated by Andreas Kohlbecker 5 months ago

  • Related to bug #7528: Allow changing the Registration status in the RegistrationWorkingsetEditor added

#2 Updated by Andreas Kohlbecker 5 months ago

  • Status changed from New to In Progress

#3 Updated by Andreas Kohlbecker 5 months ago

  • Description updated (diff)

#4 Updated by Andreas Kohlbecker 5 months ago

  • Description updated (diff)

Solution 1) still looks like the best option we have.

#5 Updated by Andreas Kohlbecker 5 months ago

  • Related to feature request #7148: GrantedAuthorityRevokingRegistrationUpdateLister: delete orphan references to GrantedAuthorityImpl in User and Group added

#6 Updated by Andreas Kohlbecker 5 months ago

  • Description updated (diff)

#7 Updated by Andreas Kohlbecker 5 months ago

  • Status changed from In Progress to Resolved
  • Assignee changed from Andreas Kohlbecker to Andreas Müller
  • % Done changed from 0 to 50

Fixed by implementing solution 1)

@Andreas Müller: can you please review the changes in cdmlib?

#8 Updated by Andreas Müller 4 months ago

  • Status changed from Resolved to Closed
  • Assignee changed from Andreas Müller to Andreas Kohlbecker

Very beautiful code ;-), I think we can close this ticket.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)