<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 02:02:19 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLFORUM-270] DefaultForumManager#isModerator() checks only the directly attached roles of the user, but ignores his roles inherited from his groups</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLFORUM-270</link>
                <project id="10130" key="MGNLFORUM">Forum (closed)</project>
                    <description>&lt;p&gt;When trying to edit a form message, not only the ACL is checked, but also the method isModerator() is called on the DefaultForumManager.&lt;/p&gt;

&lt;p&gt;This method only checks if the user has the roles &quot;forum_ALL-admin&quot; and &quot;forum_ALL-moderator&quot; directly assigned to the user. (currentUser.hasRole()).&lt;br/&gt;
But it is not checking, if the user has this role &quot;inherited&quot; be a group he is part of.&lt;/p&gt;

&lt;p&gt;This means, if you have the role &quot;forum_ALL-admin&quot; only as a role of a group, you won&apos;t be able to edit a message, even if you have the content access rights to the data.&lt;/p&gt;

&lt;p&gt;This is a big problem for all AD/LDap users. As AD/LDap users are matched by their user name or user group, one can not directly assign a role to a ad user, only groups. So even if the logged in AD user has the role by one if its group, he can not edit a message.&lt;/p&gt;

&lt;p&gt;Former code:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
@Override
    &lt;span class=&quot;code-keyword&quot;&gt;public&lt;/span&gt; void isModerator() &lt;span class=&quot;code-keyword&quot;&gt;throws&lt;/span&gt; AccessDeniedException{
        User currentUser = MgnlContext.getUser();
        &lt;span class=&quot;code-keyword&quot;&gt;if&lt;/span&gt; (!currentUser.hasRole(ROLE_FORUM_ALL_MODERATOR) &amp;amp;&amp;amp; !currentUser.hasRole(ROLE_FORUM_ALL_ADMIN)) {
            &lt;span class=&quot;code-keyword&quot;&gt;throw&lt;/span&gt; &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; AccessDeniedException(&lt;span class=&quot;code-quote&quot;&gt;&quot;User not allowed to perform that action.&quot;&lt;/span&gt;);
        }
    }
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Should be changed to:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
@Override
    &lt;span class=&quot;code-keyword&quot;&gt;public&lt;/span&gt; void isModerator() &lt;span class=&quot;code-keyword&quot;&gt;throws&lt;/span&gt; AccessDeniedException{
        User currentUser = MgnlContext.getUser();
        &lt;span class=&quot;code-object&quot;&gt;boolean&lt;/span&gt; hasRole = &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;;
        &lt;span class=&quot;code-comment&quot;&gt;// Needs to use getAllRoles() instead of .hasRole() because .hasRole() will only check &lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt; the roles directly attached to the user, but not the ones inherited from the group.
&lt;/span&gt;        &lt;span class=&quot;code-comment&quot;&gt;// As roles can not directly be attached to a AD user, it is crucial to be able to define it over its group.
&lt;/span&gt;        Collection&amp;lt;&lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt;&amp;gt; allRoles = currentUser.getAllRoles();
        &lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt; (Iterator&amp;lt;&lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt;&amp;gt; iterator = allRoles.iterator(); iterator.hasNext();) {
            &lt;span class=&quot;code-object&quot;&gt;String&lt;/span&gt; roleName = iterator.next();
            &lt;span class=&quot;code-keyword&quot;&gt;if&lt;/span&gt; (roleName.equals(ROLE_FORUM_ALL_MODERATOR) || roleName.equals(ROLE_FORUM_ALL_ADMIN)) {
                hasRole = &lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;;
            }
        }

        &lt;span class=&quot;code-keyword&quot;&gt;if&lt;/span&gt; (!hasRole) {
            &lt;span class=&quot;code-keyword&quot;&gt;throw&lt;/span&gt; &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; AccessDeniedException(&lt;span class=&quot;code-quote&quot;&gt;&quot;User not allowed to perform that action.&quot;&lt;/span&gt;);
        }
    }
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The &quot;currentUser.getAllRoles();&quot; returns all roles also the ones form the user&apos;s groups.&lt;/p&gt;

&lt;p&gt;I added the patch of the class.&lt;br/&gt;
But tests are failing because the mock user returns a empty list on .getAllRoles();&lt;br/&gt;
Test should be fixed accordingly.&lt;/p&gt;</description>
                <environment></environment>
        <key id="39923">MGNLFORUM-270</key>
            <summary>DefaultForumManager#isModerator() checks only the directly attached roles of the user, but ignores his roles inherited from his groups</summary>
                <type id="1" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10883&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/critical.svg">Critical</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="1">Fixed</resolution>
                                        <assignee username="mdivilek">Milan Divilek</assignee>
                                    <reporter username="cringele">Christian Ringele</reporter>
                        <labels>
                            <label>maintenance</label>
                            <label>next</label>
                            <label>support</label>
                    </labels>
                <created>Mon, 11 Aug 2014 17:20:40 +0200</created>
                <updated>Thu, 28 Aug 2014 13:21:28 +0200</updated>
                            <resolved>Tue, 12 Aug 2014 19:22:09 +0200</resolved>
                                    <version>3.3.3</version>
                    <version>3.4.1</version>
                                    <fixVersion>3.3.4</fixVersion>
                    <fixVersion>3.4.3</fixVersion>
                                    <component>moderation</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="89710" author="peili.liang" created="Wed, 13 Aug 2014 07:43:20 +0200"  >&lt;p&gt;The master fixVersion should be 3.4.3, it will be created when we release 3.4.2.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10040">
                    <name>causality</name>
                                                                <inwardlinks description="is causing">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="25268" name="DefaultForumManager.patch" size="1621" author="cringele" created="Mon, 11 Aug 2014 17:20:40 +0200"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 13 Aug 2014 07:43:20 +0200</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>mmuehlebach</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            9 years, 27 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>cringele</customfieldvalue>
            <customfieldvalue>mdivilek</customfieldvalue>
            <customfieldvalue>peili.liang</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10090" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Patch included</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10100"><![CDATA[Yes]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i03lq7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>21119</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>