[MGNLFORUM-250] Remove not supported moderation-permission Created: 05/Mar/14  Updated: 13/Mar/14  Resolved: 12/Mar/14

Status: Closed
Project: Forum (closed)
Component/s: security
Affects Version/s: None
Fix Version/s: 3.3

Type: Story Priority: Neutral
Reporter: Christoph Meier Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File custom-m45-sec-conf.png     PNG File unsupported_ACL-permission.png    
Issue Links:
relation
is related to MGNLCMNT-102 Security-related bootstraps contain ... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLFORUM-251 Security-related bootstraps contain o... Sub-task Closed Christoph Meier  
MGNLFORUM-252 Configured roles contain only ACL-per... Sub-task Closed Roman Kovařík  
MGNLFORUM-253 DefaultForumManager#isModerator shoul... Sub-task Closed Christoph Meier  
MGNLFORUM-254 Only forum-forumName-user role is cre... Sub-task Closed Roman Kovařík  
MGNLFORUM-255 Unite constants from FormConstants & ... Sub-task Closed Roman Kovařík  
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

Forum on M4.5 had sophisticated security-model which is currently not supported by Magnolia 5.

Bootstrap (originating from M4.5-version) installs these 4 roles.

1) forum-base
2) forum_ALL-user
3) forum_ALL-admin
4) forum_ALL-moderator

(2), (3) and (4) all come with an ACL-permission for the forum-workspace which M5-security-app cannot display correct (see screenshot) and is lost when someone is editing it.
Instead of the permission "moderateAndDelete" use "read & write"

Forum 3.3 should apply the following simple security model:

(a) role forum-base is required to access the forum-app
(b) to moderate (=> approve or reject a message) a user must have the role forum_ALL-moderator or forum_ALL-admin
(c) if a user has the above described permission to moderate a forum, he can moderate every forum

(a) is already done but probably arguable.

=>

  • clean install: ensure Bootstraps contain roles which can be handled by M5; remove no more used bootstraps
  • clean update: ensure config. of installed forum gets roles which can be handled by M5 on update
  • clean code: ensure DefaultForumManager#isModerator works properly (based on roles)
  • disable automatically creation of roles when a forum is created in the forum-config (change the config which in bootstrap or in already installed versions)


 Comments   
Comment by Christoph Meier [ 11/Mar/14 ]

All subtasks of MGNLFORUM-250 (251, 252, 253, 254, 255) have been committed against MGNLFORUM-250 (which is the „parent“) on master.

Comment by Milan Divilek [ 11/Mar/14 ]

Reopen: There is no reason to have "forum-moderator-base" role longer. It's only used for forum app availability (/modules/forum/apps/forum/permissions/roles). Instead of this we should change forum app availability to roles forum_ALL-admin and forum_ALL-moderator.

Also "forum-base" role seems useless. Please check it.

Generated at Mon Feb 12 02:02:07 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.