When removing users using the "Remove selected members" button, the behavior is different between wheel users and non-wheel users with an admin privilege on the group. For a user that has admin privilege, but not an explicit update privilege, removing selected users will redirect the user away from the group to the site home page.
- Load the sample quick start data
- Log in as GrouperSystem
- Create Group qsuob:test:AdminAccess
- Don't grant anything to EveryEntity
- Grant admin to babe (Barry Benson)
- Add bawi (Barry Windsor) as member
- Add "babe" to the tomcat-users.xml if needed
- In a different browser, login as "babe"
- Go to qsuob:test:AdminAccess
- Select checkbox for Barry Windsor
- Click Remove Selected Members
- Flash status "Success: removed 1 members"
- Redirected to UiV2Main.indexMain (the home page)
- Doesn't show change under recent activity (a separate issue?)
Note that explicitly adding the Update privilege for the user avoids this result, and it remains on the group page.
The source code for UiV2Group.removeMembers has this code which seems to be the immediate cause (correlated to the difference in Ajax response between wheel and admin):
For users with the Admin privilege, privilege management in the UI shows a black checkbox for Admin, and also grey checkboxes for all the other privileges, including Read and Update. That would imply there is an inheritance of these privileges for admin. However, group.hasUpdate(loggedInSubject) and group.hasRead(loggedInSubject) are false for a user with just the Admin privilege.
My guess for a fix is to add
to the conditional above. But there may be nuances in the privilege system I'm not aware of.