Project

General

Profile

Actions

bug #9183

open

New Registration View: prevent user from continuing to Registration for which permissions are not sufficient

Added by Andreas Kohlbecker over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
New
Category:
cdm-vaadin
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Severity:
normal
Found in Version:

Description

Users can select references in the new registration view even if permissions to edit them are not suficcient. Clicking on the "Continue" button routes to the RegistrationWorkingsetView and an error is raised without notifying on the lack of permissions properly:

... 88 more
Caused by: eu.etaxonomy.cdm.database.PermissionDeniedException: Access to the workingset is denied for the current user.
at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.checkPermissions(RegistrationWorkingSetService.java:298)
at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.loadWorkingSetByReferenceUuid(RegistrationWorkingSetService.java:275)
at sun.reflect.GeneratedMethodAccessor1710.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
at com.sun.proxy.$Proxy233.loadWorkingSetByReferenceUuid(Unknown Source)
at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.loadWorkingSet(RegistrationWorkingsetPresenter.java:271)
at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.handleViewEntered(RegistrationWorkingsetPresenter.java:247)
at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorksetViewBean.enter(RegistrationWorksetViewBean.java:169)

Solutions:

A. Filter out all references for which the user is not having enough permissions - preferred
B. Block the "Continue" button from being clicked - with caveats, see below

Option B. still allows to lookup references in the system even if the user has not the permissions to modify them. This could expose names mentioned in the reference title which should be undisclosed.

StartRegistrationPresenter.handleViewEntered() already implements a permission filter, but it seems not to be reliable in all cases:


// restrict by allowed reference uuids
                Set<UUID> allowedUuids = referencePermissions.stream().filter(p -> p.getTargetUUID() != null).map(CdmAuthority::getTargetUUID).collect(Collectors.toSet());
Actions #1

Updated by Andreas Kohlbecker over 2 years ago

  • Description updated (diff)
Actions #2

Updated by Andreas Kohlbecker over 2 years ago

  • Description updated (diff)
Actions #3

Updated by Andreas Kohlbecker over 2 years ago

Filtering by restrictions seems to be the root of the problem:

Criterion uuidRestriction = Restrictions.in("uuid", allowedUuids);
criterion = Restrictions.and(criterion, Restrictions.or(pulishedOnly, uuidRestriction));

References are added to the list even if not in the allowedUuids!

Actions

Also available in: Atom PDF