Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39202

Check user membership during role swapping

    XMLWordPrintable

    Details

    • 11 status:
      Resolved
    • Previous Issue Keys:
      KNL-1447
    • Test Plan:
      Hide

      Test Plan:

      1.- Create a course site with 2 sections.
      2.- Add roster and resources tools.
      3.- Create a folder named Group2 and a folder Group1 and mark each one to be able only for the corresponding group.
      4.- Enter as admin and go to the site realm and grant "site.roleswap" permission to role Teaching Assistant.
      5.- Now enter as user "ta2"/"sakai". This is a Teaching assistant of group 2.
      6.- Go to roster and check that only can access to group 2.
      7.- Go to resources and check that only can see folder "group2".
      8.- Now role swap to student.
      9. Repeat steps 6 and 7, if you are able to see more groups it fails !!

      Show
      Test Plan: 1.- Create a course site with 2 sections. 2.- Add roster and resources tools. 3.- Create a folder named Group2 and a folder Group1 and mark each one to be able only for the corresponding group. 4.- Enter as admin and go to the site realm and grant "site.roleswap" permission to role Teaching Assistant. 5.- Now enter as user "ta2"/"sakai". This is a Teaching assistant of group 2. 6.- Go to roster and check that only can access to group 2. 7.- Go to resources and check that only can see folder "group2". 8.- Now role swap to student. 9. Repeat steps 6 and 7, if you are able to see more groups it fails !!

      Description

      The security service is not checking the group realms you belong to after you role swap. For example if you are member of a site with sections A, B and C, but you are only member of sections A and B, when you role swap you are able to do things granted to the role you swapped to in section C.

      It depends on the way the tool is acting you could or not, for example SAK-31455 is an example of a tool that shows you this bad behaviour.

      I think that the right thing to do is allow people to role swap only in realm that actually they belong to. It could be weird if you could only see a group but you are able to see other groups when you role swap to a minor role (student,acess,...)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jjmerono@um.es Juan José Meroño Sánchez
                  Reporter:
                  jjmerono@um.es Juan José Meroño Sánchez
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code