[MAGNOLIA-6357] User with role=superuser can't see the role superuser when logged in Created: 25/Aug/15  Updated: 19/May/22  Resolved: 19/May/22

Status: Closed
Project: Magnolia
Component/s: admininterface, security
Affects Version/s: 5.3.10
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Gino Esposto Assignee: Unassigned
Resolution: Won't Do Votes: 2
Labels: security, userroles
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 14.04.3 LTS (GNU/Linux 3.16.0-45-generic x86_64)
java.vendor: Oracle Corporation
java.runtime.version: 1.7.0_80-b15
tomcat 7


Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

When we create a new user on one of our magnolia instances (QUAL and PROD), for example "poweruser", and associate the group "publisher" and the role "superuser" to this new account and then log in with "poweruser", we can only see following roles on "Security => ROLES":

  • publisher
  • workflow-base

The user "poweruser" can not see the role "superuser", therefor can't create a user with the role "superuser". We are sure this was possible a couple of releases ago.
It seems like a user can only see the userroles the account is associated with, excluding the role superuser. It makes no difference if the user was created as "USER" or "SYSTEM USER"...

This means we can only create new accounts assiciated with the role "superuser" by logging in as "superuser"... strange.

Did something change with the user/role management in magnolia? OR do we have a problem with our magnolia instances?

Thank you for your help!

Regards,
Gino



 Comments   
Comment by Jan Haderka [ 25/Aug/15 ]

Just tried to reproduce this on demo and it works fine there. Can you try as well? And if you are able to reproduce the issue provide exact steps on how to do it? Right now it looks more like something related to your setting or modification of rights in the roles rather than something in Magnolia.

Comment by Gino Esposto [ 26/Aug/15 ]

Hello Jan

Thanks for feedback. I have tried to reproduce on the online demo, and true, the behaviour is different there, and users with superuser role can also see all the roles including superuser.

Now i realised that in our setup, when i log in as superuser and edit the ACL of the role superuser, "Userroles" has Read/Write only on "Selected" path /. The online demo shows "Selected and sub nodes" on the Userroles... If i try to change it to "Selected and sub nodes" on our magnolia and click "Save changes", the value is not saved and the Userroles dropdown remains on "Selected".

What's the problem here? Could this be the cause of the problem? How could we fix this?

Thanks,
Gino

Comment by Gino Esposto [ 26/Aug/15 ]

I found a work-around for the Problem:
In the role superuser i added another rule (ADD NEW) for Userroles in the ACL with "Read/Write" "Selected and sub node" "/" and saved it. After this the ACL only showed the newly added rule. Now everything works again...

Comment by Gino Esposto [ 26/Aug/15 ]

Hmmm, problem also apears on the online demo, i could reproduce it there!

What i did:

1. I logged in as superuser in the online demo
2. I opened SET UP => Security => ROLES
3. In the List of roles i doubleclicked on "superuser"
4. In the Role dialog i changed to the tab ACCESS CONTROL LISTS
5. I scrolled down to check the settings on "Userroles", they showed "Read/Write", "Selected and sub nodes", "/"
6. I saved the unchanged ACL list by clicking "SAVE CHANGES"
7. I repeted steps 2. - 5. to openup the ACL list of the role "superuser" to check the settings for "Userroles"
8. Now it showed "Read/Write", "Selected", "/".
9. I changed the drop down value for "Userroles" from "Selected" to "Selected and sub nodes" and saved it
10. The value was not saved and remained on "Selected"

This is definitely a bug in magnolia and the workaround is like my description above: Click ADD NEW and add another rule "Userroles" = "Read/Write", "Selected and sub nodes", "/" and save it. Then the value "Selected and sub nodes" is saved, but only until you save the ACL form again, then the value is returned to "Selected" and can not be changed anymore.

Please fix this asap! Thanks.

Comment by Gino Esposto [ 17/Sep/15 ]

Hello Jan

Could you reproduce? This is a serious bug! Any plans to fix this anytime soon?
Thank you for feedback!

Regards,
Gino

Comment by Jan Haderka [ 17/Sep/15 ]

Hi Gino,

sorry I haven't noticed you comment earlier. Yes, I can confirm that I managed to reproduce the issue.
It seems that the issue have been in quite while and haven't been noticed by anyone yet. People will rarely modify anything related to superuser as this role by default grants all access thus is not in need of being redefined and superuser user is discouraged from being used in prod environment. Issue itself will get eventually fixed but right now I can't give you any time line as there are other issues scheduled for fixing.

If you have a support contract, you might want to open a support ticket and request fix under the terms of your contract to speed it up.

Cheers,
Jan

Comment by Roman Kovařík [ 19/May/22 ]

Hello,

This ticket is now marked as closed due to one of the following reasons:

  • A long period of inactivity
  • Uses an old or Beta version of an application, module, or framework that we no longer support
  • The issue is no longer reproducible or has been fixed in later versions

If you are still facing a problem or consider this issue still relevant, please feel free to re-open the ticket and we will reach out to you.

Thank you,
The Magnolia Team

Generated at Mon Feb 12 04:13:45 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.