Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-20933

Roles/policies display "subtractive" behavior under specific conditions.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Medium Medium
    • Resolution: Fixed
    • Affects Version/s: 4.7.0, 5.0, 5.1
    • Fix Version/s: Customer request
    • Component/s: Permissions
    • Labels:
      None
    • Environment:

      eZ Publish Enterprise 4.7

      Description

      Given that roles and policies are based on the whitelist principle (everything is denied until you say otherwise), they should always be additive, never subtractive. Nevertheless, under specific conditions, they display subtractive behavior.

      Steps to reproduce:

      1. Create new folder (e.g. "Test") under /Media/Images/;
      2. Create "Test 1" and "Test 2" user groups;
      3. Create new user "John Smith" and assign him to both groups;
      4. Create two new roles, "Test role 1" and "Test role 2";

      Add the following policies to the "Test role 1" role:

      user login no limitations
      content read no limitations
      content create no limitations

      Add the following policies to the "Test role 2" role:

      User login no limitations
      content read no limitations
      content create Class( Article ) , Section( Media )

      5. Assign "Test role 1" to "Test 1" user group with subtree limitation of /Media/;
      6. Assign "Test role 2" to "Test 2" user group with subtree limitation of /Media/Images/Test/;

      After this, log in as "John Smith" and go to /Media/Images/Test/. Clicking on the "Create new" button will only display "Article" on the list. All existing classes should be displayed.

        Issue Links

          Activity

          Show
          Bertrand Dunogier added a comment - Pull request: https://github.com/ezsystems/ezpublish-legacy/pull/669
          Hide
          Bertrand Dunogier added a comment -

          One note: the issue also occurs if both issues are limited to the same subtree, like /1/43.

          Show
          Bertrand Dunogier added a comment - One note: the issue also occurs if both issues are limited to the same subtree, like /1/43.
          Hide
          Bertrand Dunogier added a comment -

          Unit tests fail:

          There were 4 failures:
           
          1) eZURLAliasMLTest::testGetChildren
          Failed asserting that 3 matches expected 2.
           
          /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/urlaliasml_test.php:104
          /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372
           
          2) eZURLAliasMLRegression::testURLAliasTranslationLinkValues
          More than one active entry for the current node detected.
          Failed asserting that 0 matches expected 1.
           
          /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/urlaliasml_regression.php:662
          /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372
           
          3) eZContentObjectStateGroupTest::testCreateWithvalidIdentifier with data set #0 ('lowercasechars')
          Valid state group identifier 'lowercasechars' was refused, array (
            0 => 'Norwegian (Bokmal): this language is the default but neither name or description were provided for this language',
          )
          Failed asserting that false is true.
           
          /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/ezcontentobjectstategroup_test.php:52
          /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372
           
          4) eZContentObjectStateGroupTest::testCreateWithvalidIdentifier with data set #1 ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx')
          Valid state group identifier 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' was refused, array (
            0 => 'Norwegian (Bokmal): this language is the default but neither name or description were provided for this language',
          )
          Failed asserting that false is true.
           
          /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/ezcontentobjectstategroup_test.php:52
          /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372
          

          Show
          Bertrand Dunogier added a comment - Unit tests fail: There were 4 failures:   1) eZURLAliasMLTest::testGetChildren Failed asserting that 3 matches expected 2.   /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/urlaliasml_test.php:104 /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372   2) eZURLAliasMLRegression::testURLAliasTranslationLinkValues More than one active entry for the current node detected. Failed asserting that 0 matches expected 1.   /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/urlaliasml_regression.php:662 /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372   3) eZContentObjectStateGroupTest::testCreateWithvalidIdentifier with data set #0 ('lowercasechars') Valid state group identifier 'lowercasechars' was refused, array ( 0 => 'Norwegian (Bokmal): this language is the default but neither name or description were provided for this language', ) Failed asserting that false is true.   /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/ezcontentobjectstategroup_test.php:52 /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372   4) eZContentObjectStateGroupTest::testCreateWithvalidIdentifier with data set #1 ('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx') Valid state group identifier 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' was refused, array ( 0 => 'Norwegian (Bokmal): this language is the default but neither name or description were provided for this language', ) Failed asserting that false is true.   /home/bertrand/www/ezpublish-legacy/tests/tests/kernel/classes/ezcontentobjectstategroup_test.php:52 /home/bertrand/www/ezpublish-legacy/tests/toolkit/ezptestrunner.php:372
          Hide
          Bertrand Dunogier added a comment - - edited

          @QA: the fix has been merged to master (https://github.com/ezsystems/ezpublish-legacy/commit/d43db1def46becc9272752349d54cb780128d12e). Could you please run tests regarding this, and let us know ?

          Our "unit/functional" tests are really getting touchy here.

          Show
          Bertrand Dunogier added a comment - - edited @QA: the fix has been merged to master ( https://github.com/ezsystems/ezpublish-legacy/commit/d43db1def46becc9272752349d54cb780128d12e ). Could you please run tests regarding this, and let us know ? Our "unit/functional" tests are really getting touchy here.
          Hide
          Joao Pingo (Inactive) added a comment -

          @Bertrand
          Hi i've run our permissions test group tc-485 to tc-495 and new tc-1791 (This issue test), with the available patch
          All of the tests passed without any problems

          Show
          Joao Pingo (Inactive) added a comment - @Bertrand Hi i've run our permissions test group tc-485 to tc-495 and new tc-1791 (This issue test), with the available patch All of the tests passed without any problems
          Hide
          Joao Pingo (Inactive) added a comment -

          Tested on Master, 5.1, 5.0 and 4.7 with tc-1791
          QA Approved

          Show
          Joao Pingo (Inactive) added a comment - Tested on Master, 5.1, 5.0 and 4.7 with tc-1791 QA Approved

            People

            • Assignee:
              Unassigned
              Reporter:
              Nuno Oliveira (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 days, 1 hour
                4d 1h