User Story #52 (closed)
When logged in as root, the Experimenter field of Details should be honored.
Reported by: | Josh Moore <josh.moore@…> | Owned by: | jamoore |
---|---|---|---|
Priority: | minor | Milestone: | 3.0-M2 |
Component: | API | Keywords: | iteration3 |
Cc: | cxallan | Story Points: | n.a. |
Sprint: | n.a. | Importance: | n.a. |
Total Remaining Time: | n.a. | Estimated Remaining Time: | n.a. |
Description (last modified by jmoore)
Unlike "normal" users, root should be able define to whom an object belongs by calling:
iObject.getDetails().setExperimenter( user )
This will be needed to support #50 in which the importer/resurrector wants to save an entire multi-user graph in a single transaction.
Current, best, short-term solution is to add an if-clause in the Details managing code of UpdateFilter which checks the current user for being root.
Things that go along with this:
- Can a regular user do this by sudo-ing. (needs @RunAs?)
- Can other "Admins" do it (don't currently have them)
- ...
Change History (5)
comment:1 Changed 18 years ago by jmoore
- Description modified (diff)
comment:2 Changed 18 years ago by jmoore
- Keywords iteration3 added; iteration2 removed
comment:3 Changed 18 years ago by jmoore
- Cc callan added
- Status changed from new to assigned
r700 implements this in UpdateFilter. It's currently a bit limited so I'm going to leave this open for discussion.
Limitations are:
- To fulfill #50, resurrect will need to be run as root
- Currently, the group of a user is not taken into account. The logic is: if (root) then ... else ....
- Testing. There are mock tests for all the cases I can think of, but we need to review. Integration tests would also make sense.
Any other requirements short-,mid-, and long-term?
comment:4 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from assigned to closed
r704 and r705 support this. SecurityViolation thrown on any misuse.
Testing is fairly extensive, though the changing of group fields could be more thought thorough. ( We don't have that many groups at the moment. :) ) Currently, there are no plans for allowing the system (i.e. admin) group to do this, but a @RunAs("root") annotation should be simple enough.
In general, the security logic will need to be factored out as it gets more complicated. Something along the lines of:
new UpdateFilter( hibernateTemplate, securityFilter );
comment:5 Changed 18 years ago by jmoore
r713 fixes a small mistake in UpdateFilter. Changes allowed root to set Details to null even though the Details fields are usually not-null.
Discussion with Chris. Moving to iter3 to not rush this.