[MGNLGROOVY-238] Groovy Terminal access is prohibited if user is not directly assigned to role Created: 13/Jan/23  Updated: 23/Mar/23  Resolved: 14/Mar/23

Status: Closed
Project: Magnolia Groovy Module
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.4, 4.0.0

Type: Bug Priority: Critical
Reporter: Philipp Gaschuetz Assignee: Jaroslav Simak
Resolution: Fixed Votes: 0
Labels: quickwin
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 3.5h Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLGROOVY-239 Implementation Sub-task Completed Jaroslav Simak  
MGNLGROOVY-240 Review Sub-task Completed Javier Benito  
MGNLGROOVY-241 piQA Sub-task Completed Javier Benito  
MGNLGROOVY-242 QA Sub-task Closed Oanh Thai Hoang  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Date of First Response:
Epic Link: Support
Sprint: DevX 33
Story Points: 2
Team: DeveloperX
Work Started:

 Description   

To access the Groovy App, a user needs to have the superuser or scripter role assigned.

There is a bug in the code, as it only checks, if the user has one of the above roles assigned directly. Transitive role assignment are effectively ignored by the code.

We stumbled upon this bug, as we are using the Magnolia SSO Module and it is effectively impossible to directly assign roles to users when using SSO. We can therefore not use the Groovy App at all, as access is restricted to transitive role members.

Steps to reproduce

  1. Create a new group and assign the superuser role to it
  2. Create a user, that has the newly created group assigned and does not have the superuser or scripter role assigned directly
  3. login with that user and try to access the Groovy App

Expected results

Should just work.

Actual results

Error Message:
User xyz is trying to use the Magnolia Groovy Interactive Console but is not authorized.

Workaround

If using SSO module, no workaround possible.

If not using SSO, only use directly assigned roles, which defeats the purpose of Groups and Roles...

Development notes

A bugfix pull request has been created:
https://git.magnolia-cms.com/projects/MODULES/repos/groovy/pull-requests/64/overview



 Comments   
Comment by Philipp Gaschuetz [ 17/Feb/23 ]

Hi,

are there any news on this? The bugfix pull request @ https://git.magnolia-cms.com/projects/MODULES/repos/groovy/pull-requests/64/overview has been automatically closed due to inactivity.

Our customer requires this functionality...

Many thanks!

 

Comment by Richard Gange [ 23/Mar/23 ]

Hello pgaschuetz-

The fixed was released today with Magnolia 6.2.30.

Cheers
Rich

Generated at Mon Feb 12 05:56:52 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.