Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-38886

Authz regression for Delegated Access where users don't have permission to site

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 11.2, 12.0
    • Fix Version/s: 11.2, 12.0
    • Component/s: Kernel
    • Labels:
    • 11 status:
      Verified
    • Previous Issue Keys:
      KNL-1479
    • Test Plan:
      Hide

      Use Delegated access tool to give access to a user and then login as that user and access the site.

      Success would be user sees the site, failure would be a user gets site not available.

      Show
      Use Delegated access tool to give access to a user and then login as that user and access the site. Success would be user sees the site, failure would be a user gets site not available.

      Description

      KNL-1447 introduced a regression where authz service isAllowed() returns false when checking delegated access.

      Original query

      select count(1) from SAKAI_REALM_RL_FN MAINTABLE
              JOIN SAKAI_REALM_ROLE ROLE ON ROLE.ROLE_KEY = MAINTABLE.ROLE_KEY
              JOIN SAKAI_REALM_FUNCTION FUNCTIONS ON FUNCTIONS.FUNCTION_KEY = MAINTABLE.FUNCTION_KEY
              JOIN SAKAI_REALM REALM ON REALM.REALM_KEY = MAINTABLE.REALM_KEY
              where ROLE.ROLE_NAME = 'Instructor'
                      AND FUNCTIONS.FUNCTION_NAME = 'site.visit'
                      AND REALM.REALM_ID = '!site.template.course';
      

      returns 1

      Where the updated query from KNL-1447

      select count(1) from SAKAI_REALM_RL_FN MAINTABLE
              JOIN SAKAI_REALM_ROLE ROLE ON ROLE.ROLE_KEY = MAINTABLE.ROLE_KEY
              JOIN SAKAI_REALM_FUNCTION FUNCTIONS ON FUNCTIONS.FUNCTION_KEY = MAINTABLE.FUNCTION_KEY
              JOIN SAKAI_REALM REALM ON REALM.REALM_KEY = MAINTABLE.REALM_KEY
              where ROLE.ROLE_NAME = 'Instructor'
                      AND FUNCTIONS.FUNCTION_NAME = 'site.visit'
                      AND REALM.REALM_KEY in (select REALM_KEY from SAKAI_REALM where SAKAI_REALM.REALM_ID IN ('!site.template.course'))
                      AND MAINTABLE.REALM_KEY in (select REALM_KEY from SAKAI_REALM_RL_GR where ACTIVE = '1' and USER_ID = 'd9adb840-b89d-4df4-b378-d3d8cd3d2ba6');
      

      returns 0

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  k1team KERNEL TEAM (Inactive)
                  Reporter:
                  ern Earle R Nietzel
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code