[MAGNOLIA-3815] Editing users deletes roles if permissions to read roles are missing Created: 30/Aug/11 Updated: 04/Aug/15 Resolved: 04/Aug/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | admininterface, security |
| Affects Version/s: | 4.4.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Richard Unger | Assignee: | Philipp Bärfuss |
| Resolution: | Outdated | Votes: | 0 |
| Labels: | security, usermanager | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Magnolia EE 4.4.3, Plattform/Hardware doesn't matter |
||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Date of First Response: |
| Description |
|
When a user is edited, if the user who is doing the editing does not have at least read-access to the roles assigned to the user being edited, these roles will be deleted when the user is saved. Not only that, but they will be "partially" deleted, resulting in an incorrectly configured user node which can still work, but causes exceptions in the login-processing. (See stack trace in comments). Suggested fix: Undesireable, but better than the status-quo: Background info: We are implmenting a kind of delegated security model for our customer:
In this way, we set up the security policies via the roles we create for the customer, and assign the roles to groups which the customer can use to configure which user can do what. |
| Comments |
| Comment by Richard Unger [ 30/Aug/11 ] |
|
Stack-Trace of the exception caused by this problem in attachment. |
| Comment by Michael Mühlebach [ 04/Aug/15 ] |
|
We're closing this issue as outdated as it was reported for 4.4.x or earlier versions which are no longer supported. Don't hesitate to reopen or create a new ticket in case this is still relevant and you'll experience it on 4.5.x or later versions. |