[MAGNOLIA-7273] Cannot login to AdminCentral using System user will all roles assigned Created: 02/Mar/18 Updated: 02/Mar/18 Resolved: 02/Mar/18 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | admininterface, security |
| Affects Version/s: | 5.6.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Viet Nguyen | Assignee: | Viet Nguyen |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Description |
|
1. From author instance, login as 'superuser' and create a 'testuser' for example. |
| Comments |
| Comment by Viet Nguyen [ 02/Mar/18 ] |
|
Got explanation from ahietala: Adding all possible roles to a user does not make sense. It results in jumble of permissions that override each other. What tasks is your testuser supposed to perform? Assign one or two roles that grant enough permissions to perform those tasks, not more.As to why AdminCentral login fails, it's because you have applied the anonymous role to the user. Anonymous is denied permission to the /.magnolia* URL. If a user has multiple ACLs through role and group assignment that specifically list the requested resource, the ACL with the longest pattern determines the permission. The order of the rules is not considered. This is a critical point to note, although this criterion is only applied if the user has more than one ACL that govern the requested resource. Of equally long patterns, the one that grants the broadest permissions is applied. – https://documentation.magnolia-cms.com/display/DOCS56/Roles+and+access+control+lists |
| Comment by Viet Nguyen [ 02/Mar/18 ] |
|
This could be an expected system behavior when we have multiple overlapping ACLs. |