Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1480

users with admin priv can't remove group via subject page



    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4.0, 2.3.0.patch
    • Fix Version/s: 2.3.1, 2.4.0, 2.3.0.patch
    • Component/s: UI
    • Labels:


      When a non-wheel user, with admin privileges but no explicit update privilege on a group, tries to remove that group via a subject page, using the checkboxes and the "Remove selected groups" button, the error is flashed:

      Error: group has errors removing 1 members, and successfully removed 1 members

      This looks like it just needs a change in UiV2Subject.removeGroups, with a group.hasUpdate(loggedInSubject) changed to a group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false). That fixed it for me when testing locally. There is another usage of hasUpdate in removeGroup, but I didn't test that one.

      The "successfully removed 1 members" on an error is also a bug, since it wasn't an actual success. I think the successes++ line should be moved to the inner block, right after group.deleteMember() is called.

      Steps to reproduce (unicon grouper-demo Docker image – I used tag 2.3.0-2017-01-30):

      1) As user banderson/password, log into
      2) Add adoe as an admin of group courses:ACCT101
      3) In a separate browser, log in as adoe/password
      3) search user "asmith" and open the subject page
      4) check checkbox for group ACCT101
      5) Click Remove selected groups

      Result: Error: group has errors removing 1 members, and successfully removed 1 members

      Potential patch:

      --- a/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
      +++ b/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
      @@ -805,7 +805,7 @@ public class UiV2Subject {
                   public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
      -              if (group.hasUpdate(loggedInSubject)) {
      +              if (group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false)) {
                       return true;
                     return false;
      @@ -816,9 +816,9 @@ public class UiV2Subject {
                 } else {
                   group.deleteMember(membership.getMember(), false);
      +            successes++;
      -          successes++;
               } catch (Exception e) {
                 LOG.warn("Error with membership: " + membershipId + ", user: " + loggedInSubject, e);

        Smart Checklist




              • Assignee:
                chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
                chad.redman@at.internet2.edu Chad Redman (unc.edu)
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: