Evergreen

Staff users can have permission at a more restrictive depth than assigned via a permission group

Bug #1480432 reported by Michele Morgan on 2015-07-31

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	Fix Released	Medium	Unassigned	Evergreen 3.0-beta

Bug Description

With a hierarchical permission group structure, and assigned permission similar to the following:

Staff
|_Basic Circulation - SET_CIRC_CLAIMS_RETURNED at depth 1
|_Circulation Supervisor - SET_CIRC_CLAIMS_RETURNED at depth 0

A staff user in the Circulation Supervisor permission group can actually be authorized at the more restrictive depth of the parent permission group.

The database function permission.usr_perms() does a SELECT DISTINCT but does not impose an explicit sort on the depth of permissions associated with a user. Consequently, when a user has the same permission from more than one group, the actual selected row can be less permissive than intended.

Tags:

Michele Morgan (mmorgan) on 2015-07-31

Changed in evergreen:
assignee:	nobody → Michele Morgan (mmorgan)

Revision history for this message

Michele Morgan (mmorgan) wrote on 2016-09-29:

A working branch to change the sort of retrieved permissions in the function permission.usr_perms() is at:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/mmorgan/LP_1480432_staff_user_permission_depth_fix

Changed in evergreen:
assignee:	Michele Morgan (mmorgan) → nobody

Terran McCanna (tmccanna) on 2016-09-29

tags:

added: pullrequest

Galen Charlton (gmc) on 2017-05-02

tags:

added: needstest

Revision history for this message

Cesar V (cesardv) wrote on 2017-06-02:

Added a pg-TAP test for this on:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/cesardv/LP1480432_pgTAP_test_depth_sort_permissions

tags:

removed: needstest

Kathy Lussier (klussier) on 2017-07-19

Changed in evergreen:
milestone:	none → 2.12.4
milestone:	2.12.4 → 3.0-alpha

Galen Charlton (gmc) on 2017-08-08

Changed in evergreen:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Galen Charlton (gmc) wrote on 2017-08-08:

Merged to master. Thanks, Michele and Cesar!

Changed in evergreen:
status:	Confirmed → Fix Committed

Evergreen Bug Maintenance (bugmaster) on 2017-09-07

Changed in evergreen:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.