Sakai
  1. Sakai
  2. SAK-20011

Announcement notifications got to participants that are not members of the site

    Details

    • Type: Bug Bug
    • Status: Verified Verified
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.1, 2.9.0
    • Fix Version/s: 2.8.2, 2.9.0
    • Component/s: Announcements
    • Labels:
      None
    • 2.8 Status:
      Resolved
    • Previous Issue Keys:

      Description

      Scenario is similar to KNL-392

      Support users who have global access to sites through !site.helper receive announcement notifications from every site, even though they are not enrolled in the sites. Announcement notifications should only go to people who are actually enrolled in the site.

        Activity

        Hide
        Nicola Monat-Jacobs added a comment -
        Steps to replicate

        1) Administration Workspace -> Realms -> !site.helper
        2) Add new role called junioradmin
        3) Assign the relevant permissions for assignments and content to the role -> Save
        4) In Realms -> !site.helper -> Grant Ability to a user of your choice (including site.vist) -> Make the user a junioradmin -> Save
        5) Send an announcement to a site and junioradmin user will receive it even though they are not in the site.
        Show
        Nicola Monat-Jacobs added a comment - Steps to replicate 1) Administration Workspace -> Realms -> !site.helper 2) Add new role called junioradmin 3) Assign the relevant permissions for assignments and content to the role -> Save 4) In Realms -> !site.helper -> Grant Ability to a user of your choice (including site.vist) -> Make the user a junioradmin -> Save 5) Send an announcement to a site and junioradmin user will receive it even though they are not in the site.
        Hide
        Adam York added a comment -
        Right now the distinct list of users is based off two separate groups composed from SAK-5295
        Group #1: users who are direct site members
        Group #2: users with permission to all groups if granted at the channel or site level

        Question is simple: are there any scenarios where Group #2 is legitimately applicable? If so we need to identify the sub group they belong to so we can filter more aggressively. Otherwise we can simply remove the function that is overridden in SiteEmailNotificationAnnc.java , which will limit announcement email notifications to just Group #1.
        Show
        Adam York added a comment - Right now the distinct list of users is based off two separate groups composed from SAK-5295 Group #1: users who are direct site members Group #2: users with permission to all groups if granted at the channel or site level Question is simple: are there any scenarios where Group #2 is legitimately applicable? If so we need to identify the sub group they belong to so we can filter more aggressively. Otherwise we can simply remove the function that is overridden in SiteEmailNotificationAnnc.java , which will limit announcement email notifications to just Group #1.
        Hide
        Adam York added a comment -
        I forgot to note that the linked JIRA KNL-392 fixed the general concern of pairing down the list of users to just site members. However the issue here is created by the extension of the addSpecialRecipients() function within announcements. I need a general consensus that Group #2 should not be part of the email recipients list before I remove the extended functionality from announcements.

        If you use dates as precedence the originating KIRA SAK-5295 precedes the KNL-392 JIRA, so you could argue the new way is to just include Group #1
        Show
        Adam York added a comment - I forgot to note that the linked JIRA KNL-392 fixed the general concern of pairing down the list of users to just site members. However the issue here is created by the extension of the addSpecialRecipients() function within announcements. I need a general consensus that Group #2 should not be part of the email recipients list before I remove the extended functionality from announcements. If you use dates as precedence the originating KIRA SAK-5295 precedes the KNL-392 JIRA, so you could argue the new way is to just include Group #1
        Hide
        Adam York added a comment -
        proposed change - comment out (for now) the extended functionality of the kernel
        Show
        Adam York added a comment - proposed change - comment out (for now) the extended functionality of the kernel
        Hide
        Adam York added a comment -
        Posted proposed change to sakai-dev@collab.sakaiproject.org - If no objections are posted I will submit my changes Monday
        Show
        Adam York added a comment - Posted proposed change to sakai-dev@collab.sakaiproject.org - If no objections are posted I will submit my changes Monday
        Hide
        Adam York added a comment -
        No objections - checked in proposed change.
        Show
        Adam York added a comment - No objections - checked in proposed change.
        Hide
        Hudson CI Server added a comment -
        Integrated in announcement trunk #20 (See [http://builds.sakaiproject.org:8080/job/announcement%20trunk/20/])
            SAK-20011 commented out functionality which caused global access users to be spammed with site annoucement email notifications
        Show
        Hudson CI Server added a comment - Integrated in announcement trunk #20 (See [ http://builds.sakaiproject.org:8080/job/announcement%20trunk/20/ ])      SAK-20011 commented out functionality which caused global access users to be spammed with site annoucement email notifications
        Hide
        Sam Ottenhoff added a comment -
        2.8.x: 97435
        Show
        Sam Ottenhoff added a comment - 2.8.x: 97435
        Hide
        Teresa Collins added a comment -
        Verified on http://qa3-us.sakaiproject.org:8086/portal using using Firefox 11.
        Role added in site.helper (Trainer).
        Grant Ability: User with Trainer role.
        Announcement sent out - High Notify All from site trainer wasn't a member of.
        Only members of the site received a copy of the announcement.
        Show
        Teresa Collins added a comment - Verified on http://qa3-us.sakaiproject.org:8086/portal using using Firefox 11. Role added in site.helper (Trainer). Grant Ability: User with Trainer role. Announcement sent out - High Notify All from site trainer wasn't a member of. Only members of the site received a copy of the announcement.

          People

          • Assignee:
            Adam York
            Reporter:
            Nicola Monat-Jacobs
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: