Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1480

users with admin priv can't remove group via subject page

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 2.3.1, 2.4.0, 2.3.0.patch
    • 2.4.0, 2.3.0.patch
    • UI
    • None

    Description

      When a non-wheel user, with admin privileges but no explicit update privilege on a group, tries to remove that group via a subject page, using the checkboxes and the "Remove selected groups" button, the error is flashed:

      Error: group has errors removing 1 members, and successfully removed 1 members

      This looks like it just needs a change in UiV2Subject.removeGroups, with a group.hasUpdate(loggedInSubject) changed to a group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false). That fixed it for me when testing locally. There is another usage of hasUpdate in removeGroup, but I didn't test that one.

      The "successfully removed 1 members" on an error is also a bug, since it wasn't an actual success. I think the successes++ line should be moved to the inner block, right after group.deleteMember() is called.

      Steps to reproduce (unicon grouper-demo Docker image – I used tag 2.3.0-2017-01-30):

      1) As user banderson/password, log into http://192.168.99.100:8080/grouper
      2) Add adoe as an admin of group courses:ACCT101
      3) In a separate browser, log in as adoe/password
      3) search user "asmith" and open the subject page
      4) check checkbox for group ACCT101
      5) Click Remove selected groups

      Result: Error: group has errors removing 1 members, and successfully removed 1 members

      Potential patch:

      --- a/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
      		 
      +++ b/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
      		 
      @@ -805,7 +805,7 @@ public class UiV2Subject {
      		 
       
      		 
                   @Override
      		 
                   public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
      		 
      -              if (group.hasUpdate(loggedInSubject)) {
      		 
      +              if (group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false)) {
      		 
                       return true;
      		 
                     }
      		 
                     return false;
      		 
      @@ -816,9 +816,9 @@ public class UiV2Subject {
      		 
                   failures++;
      		 
                 } else {
      		 
                   group.deleteMember(membership.getMember(), false);
      		 
      +            successes++;
      		 
                 }
      		 
       
      		 
      -          successes++;
      		 
               } catch (Exception e) {
      		 
                 LOG.warn("Error with membership: " + membershipId + ", user: " + loggedInSubject, e);
      		 
                 failures++;

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chad.redman@at.internet2.edu Chad Redman (unc.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: