Skip to content

Sprint5 server bugs #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joshmoore merged 6 commits into from
Sep 24, 2012
Merged

Sprint5 server bugs #369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1b0fef7
Test case for admin querying with "omero.group = -1". (See #9632)
chris-allan Sep 18, 2012
1cbf3b9
Fix bad comparison of getCurrentGroupId (See #9632)
joshmoore Sep 19, 2012
e88ec6c
Load perms for system groups as well (Fix #9632)
joshmoore Sep 19, 2012
4ce9217
Handle systypes and null details separately (See #9632)
joshmoore Sep 19, 2012
2482a7f
Fix canEdit corruption (See #9635)
joshmoore Sep 19, 2012
3cc848b
Minor fixes to group.py
joshmoore Sep 19, 2012
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 34 additions & 9 deletions components/server/src/ome/security/basic/BasicACLVoter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,25 +115,43 @@ public boolean allowChmod(IObject iObject) {
public boolean allowLoad(Session session, Class<? extends IObject> klass, Details d, long id) {
Assert.notNull(klass);

if (d == null ||
sysTypes.isSystemType(klass) ||
sysTypes.isInSystemGroup(d) ||
sysTypes.isInUserGroup(d)) {
return true;
if (d == null || sysTypes.isSystemType(klass)) {
// Here we're returning true because there
// will be no group value that we can use
// to store any permissions and don't want
// WARNS in the log.

return true; // EARLY EXIT!
}

boolean rv = securityFilter.passesFilter(session, d, currentUser.current());
boolean rv = false;
if (sysTypes.isInSystemGroup(d) ||
sysTypes.isInUserGroup(d)) {
rv = true;
}
else {
rv = securityFilter.passesFilter(session, d, currentUser.current());
}

// Misusing this location to store the loaded objects perms for later.
if (this.currentUser.getCurrentEventContext().getCurrentGroupId() < 1) {
if (this.currentUser.getCurrentEventContext().getCurrentGroupId() < 0) {
// For every object that gets loaded when omero.group = -1, we
// cache it's permissions in the session context so that when the
// session is over we can re-apply all the permissions.
ExperimenterGroup g = d.getGroup();
if (g == null) {
log.warn(String.format("Group null while loading %s:%s",
klass.getName(), id));
}
if (g != null) { // Null for system types
Long gid = g.getId();
Permissions p = g.getDetails().getPermissions();
this.currentUser.current().setPermissionsForGroup(gid, p);
if (p == null) {
log.warn(String.format("Permissions null for group %s " +
"while loading %s:%s", gid, klass.getName(), id));
} else {
this.currentUser.current().setPermissionsForGroup(gid, p);
}
}
}

Expand Down Expand Up @@ -375,7 +393,14 @@ public void postProcess(IObject object) {
// This order must match the ordered of restrictions[]
// expected by p.copyRestrictions
Scope.LINK, Scope.EDIT, Scope.DELETE, Scope.ANNOTATE);
p.copyRestrictions(allow);

// #9635 - This is not the most efficient solution
// But since it's unclear why Permission objects
// are currently being shared, the safest solution
// is to always produce a copy.
Permissions copy = new Permissions(p);
copy.copyRestrictions(allow);
details.setPermissions(copy); // #9635
}
}

Expand Down
4 changes: 2 additions & 2 deletions components/tools/OmeroPy/src/omero/plugins/group.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ def find_group(self, admin, id_or_name):
gid = g.id.val
return gid, g
except omero.ApiUsageException:
self.ctx.die(503, "Unknown group: %s" % gid)
self.ctx.die(503, "Unknown group: %s" % id_or_name)

def find_user(self, admin, id_or_name):
import omero
Expand All @@ -142,7 +142,7 @@ def find_user(self, admin, id_or_name):
uid = u.id.val
return uid, u
except omero.ApiUsageException:
self.ctx.die(503, "Unknown experimenter: %s" % uid)
self.ctx.die(503, "Unknown experimenter: %s" % id_or_name)

def perms(self, args):

Expand Down
9 changes: 9 additions & 0 deletions components/tools/OmeroPy/test/integration/permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,15 @@ def testPrivateGroupCallContext(self):
qb.get("TagAnnotation", tid, specific) # Not currently in gid
qb.get("TagAnnotation", tid, negone)

# Reading with an admin user
# ==============================================

def testAdminCanQueryWithGroupMinusOneTicket9632(self):
q = self.root.sf.getQueryService()
ctx = self.root.ic.getImplicitContext().getContext()
ctx["omero.group"] = "-1"
q.findAllByQuery('select p from Project as p', None, ctx)

# Use of omero.user
# ==============================================

Expand Down