[MAGNOLIA-7273] Cannot login to AdminCentral using System user will all roles assigned Created: 02/Mar/18  Updated: 02/Mar/18  Resolved: 02/Mar/18

Status: Closed
Project: Magnolia
Component/s: admininterface, security
Affects Version/s: 5.6.2
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Viet Nguyen Assignee: Viet Nguyen
Resolution: Not an issue Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File logged-in-with-all-groups.png     PNG File stuck-at-login-screen.png     PNG File system-user-creation.png     XML File users.system.testuser.xml     XML File users.system.testuser_all_groups.xml    
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

1. From author instance, login as 'superuser' and create a 'testuser' for example.

2. Assign all existing roles to this user --> sample export data: users.system.testuser.xml
3. Logout and try to login with this user --> Nothing happen, we got stuck at login screen.

4. Remove all roles from test user, assign all existing groups to him --> users.system.testuser_all_groups.xml
5. Login to admincentral. Now we can login but cannot see all tools and configuration related apps.



 Comments   
Comment by Viet Nguyen [ 02/Mar/18 ]

Got explanation from ahietala:

Adding all possible roles to a user does not make sense. It results in jumble of permissions that override each other. What tasks is your testuser supposed to perform? Assign one or two roles that grant enough permissions to perform those tasks, not more.As to why AdminCentral login fails, it's because you have applied the anonymous role to the user. Anonymous is denied permission to the /.magnolia* URL.

If a user has multiple ACLs through role and group assignment that specifically list the requested resource, the ACL with the longest pattern determines the permission. The order of the rules is not considered. This is a critical point to note, although this criterion is only applied if the user has more than one ACL that govern the requested resource. Of equally long patterns, the one that grants the broadest permissions is applied.

https://documentation.magnolia-cms.com/display/DOCS56/Roles+and+access+control+lists

Comment by Viet Nguyen [ 02/Mar/18 ]

This could be an expected system behavior when we have multiple overlapping ACLs.

Generated at Mon Feb 12 04:22:19 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.