Opened 6 years ago

Closed 6 years ago

#1965 closed defect (fixed)

Users can access reporter information even if their role permissions is set to DENIED

Reported by: Nicklas Nordborg Owned by: everyone
Priority: critical Milestone: BASE 3.6.2
Component: core Version:
Keywords: Cc:

Description

Change the "User" role so that the permission for "Reporters" is set to "DENIED".

Log in as a user with that role. The user is still able to list all reporters in View->Reporters list page.

Clicking on a report results in a Permission denied: Not allowed to read Reporter message.

If there is an array design with features, the user is also able to list reporter information in the features list. Clicking on a feature brings up a dialog with all reporter information present without any error message.

It is the same thing for a raw bioassay with raw data. The reporter information is available in the list and dialog.

See #1964 for some background information about what causes this.

Change History (4)

comment:1 Changed 6 years ago by Nicklas Nordborg

(In [7008]) References #1965: Users can access reporter information even if their role permissions is set to DENIED

The permission should now be checked in all queries that return ReporterData objects. When the query is started at some other item (eg. reporters linked from the raw data in a raw bioassay or reporters linked from features on an array design) we only check for explicitely DENIED permission (eg. we treat the reporters as child items). When the query is based directly on reporters we require explicit READ permission.

This doesn't solve the DENIED problem when doing it in two steps (which is the case on the raw data and feature list pages). For example, first loading RAWDATA and then navigating to the reporter via RawData.getReporter(). It is not possible to solved this within the BASE Core API. A possible solution is to let the web client handle this case by simply not include any reporter-related columns in raw data or feature listings if an explicit DENIED permission has been set.

Then there is also the case with dynamic queries generated from the experiment level...

comment:2 Changed 6 years ago by Nicklas Nordborg

(In [7009]) References #1965: Users can access reporter information even if their role permissions is set to DENIED

The web client now checks for DENIED permission before including reporter information in raw data, feature and well lists.

comment:3 Changed 6 years ago by Nicklas Nordborg

(In [7010]) References #1965: Users can access reporter information even if their role permissions is set to DENIED

Adding permission filter to dynamic reporter query.

comment:4 Changed 6 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed

There is also a lot of functionality in other dynamic queries that can load and process reporter-related information. Those queries (DynamicSpotQuery, etc.) all originate from an experiment.

At the moment I think it is better to leave the rest of the code as it is since:

  • It is a rather exotic use case to allow a user to access an experiment but deny access to reporters.
  • Trying to implement the permission check in all places is complicated and there is a big risk that we break other things that are not so exotic.

If someone comes up with a good use-case in the future things may have to be reconsidered.

Note: See TracTickets for help on using tickets.