Task #8513 (closed)
BUG Security Violation while login as non-admin user
Reported by: | atarkowska | Owned by: | atarkowska |
---|---|---|---|
Priority: | blocker | Milestone: | OMERO-4.4 |
Component: | Web | Version: | n.a. |
Keywords: | n.a. | Cc: | web-team@… |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2012-04-24 (13) |
Description (last modified by atarkowska)
2012-04-09 14:53:59,876 DEBUG [ omero.gateway] (proc.01446) _createProxies:1455 ## Creating proxies 2012-04-09 14:53:59,894 WARNI [ omero.gateway] (proc.01446) debug:3137 SecurityViolation on <class 'webclient.webclient_gateway.OmeroWebSafeCallWrapper'> to <bafc550a-81a3-4d69-b9bb-94849b232ce2omero.api.IQuery> findByQuery(('select distinct obj from Experimenter as obj left outer join fetch obj.groupExperimenterMap as map left outer join fetch map.parent g where obj.id in (:ids)', object #0 (::omero::sys::Parameters) { map = { key = ids value = object #1 (::omero::RList) { _val = { [0] = object #2 (::omero::RLong) { _val = 52 } } } } theFilter = <nil> theOptions = <nil> }, {'omero.share': '9401'}), {}) Traceback (most recent call last): File "/Users/ola/Dev/omero/dist/lib/python/omero/gateway/__init__.py", line 3155, in __call__ return self.f(*args, **kwargs) File "/Users/ola/Dev/omero/dist/lib/python/omero_api_IQuery_ice.py", line 133, in findByQuery return _M_omero.api.IQuery._op_findByQuery.invoke(self, ((query, params), _ctx)) SecurityViolation: exception ::omero::SecurityViolation { serverStackTrace = ome.conditions.SecurityViolation: User 52 cannot access share 9401 at ome.security.basic.BasicEventContext.checkAndInitialize(BasicEventContext.java:132) at ome.security.basic.CurrentDetails.checkAndInitialize(CurrentDetails.java:235) at ome.security.basic.BasicSecuritySystem.loadEventContext(BasicSecuritySystem.java:336) at ome.security.basic.EventHandler.invoke(EventHandler.java:118) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy75.findByQuery(Unknown Source) at sun.reflect.GeneratedMethodAccessor290.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy75.findByQuery(Unknown Source) at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179) at ome.services.throttling.Callback.run(Callback.java:56) at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56) at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:137) at ome.services.blitz.impl.QueryI.findByQuery_async(QueryI.java:92) at sun.reflect.GeneratedMethodAccessor375.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at omero.cmd.CallContext.invoke(CallContext.java:59) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy76.findByQuery_async(Unknown Source) at omero.api._IQueryTie.findByQuery_async(_IQueryTie.java:113) at omero.api._IQueryDisp.___findByQuery(_IQueryDisp.java:342) at omero.api._IQueryDisp.__dispatch(_IQueryDisp.java:508) at IceInternal.Incoming.invoke(Incoming.java:159) at Ice.ConnectionI.invokeAll(ConnectionI.java:2037) at Ice.ConnectionI.message(ConnectionI.java:972) at IceInternal.ThreadPool.run(ThreadPool.java:577) at IceInternal.ThreadPool.access$100(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971) serverExceptionClass = ome.conditions.SecurityViolation message = User 52 cannot access share 9401 }
Change History (13)
comment:1 Changed 12 years ago by atarkowska
- Cc web-team@… added
- Component changed from General to Web
- Description modified (diff)
comment:2 Changed 12 years ago by atarkowska
- Priority changed from minor to blocker
comment:3 Changed 12 years ago by jburel
- Sprint changed from 2012-04-10 (12) to 2012-04-24 (13)
comment:4 Changed 12 years ago by jmoore
Ola, can you give me the commit/branch that this was tested on?
comment:5 Changed 12 years ago by jmoore
- Owner changed from jmoore to atarkowska
Ola, sorry, I was wrong. This does look to be implemented (I might have been looking at the wrong branch myself when I told you so). This test is currently passing for me:
diff --git a/components/tools/OmeroPy/test/integration/ishare.py b/components/tools/OmeroPy/test/integration/ishare.py index c55549e..57950cc 100644 --- a/components/tools/OmeroPy/test/integration/ishare.py +++ b/components/tools/OmeroPy/test/integration/ishare.py @@ -788,6 +788,28 @@ class TestIShare(lib.ITest): self.assertRaises(omero.SecurityViolation, \ self.client.sf.getQueryService().get, "Image", -1, {"omero.share":"-100"}) + def test8513(self): + owner, owner_obj = self.new_client_and_user(perms="rw----") # Owner of share + member, member_obj = self.new_client_and_user(perms="rw----") # Different group! + + share = owner.sf.getShareService() + sid = self.create_share(share, objects=[], experimenters=[owner_obj, member_obj]) + + self.assertAccess(owner, sid) + self.assertAccess(member, sid) + + # And the member should be able to use omero.share:sid + member_query = member.sf.getQueryService() + rv = member_query.find("Image", -1, {"omero.share":"%s" % sid}) + self.assertEquals(None, rv) + + ### Note: The following fails with a security violation since + ### it is expected that the user first check the contents of + ### the share and then load those values. + ### ========================================================= + ## rv = member_query.findAll("Image", None, {"omero.share":"%s" % sid}) + ## self.assertEquals(0, len(rv))
Any thoughts?
comment:6 Changed 12 years ago by atarkowska
- Status changed from new to accepted
comment:7 Changed 12 years ago by atarkowska
- Remaining Time set to 0.2
comment:8 Changed 12 years ago by atarkowska
- Remaining Time changed from 0.2 to 0
- Status changed from accepted to closed
comment:9 Changed 12 years ago by atarkowska
comment:10 Changed 12 years ago by jmoore <josh@…>
(In [a98a2cdd1a2d785c8fcc9dc6b9f8fd782a22b2b1/ome.git] on branch develop) Passing share test (See #8513)
comment:11 Changed 12 years ago by jmoore <josh@…>
(In [3e9b687d8a2b4a090f94cbe2e0dc4abd8c019367/ome.git] on branch develop) Ola's test modifications (See #8513)
comment:12 Changed 12 years ago by Aleksandra Tarkowska <A.Tarkowska@…>
- Resolution set to fixed
(In [051911e9413f48301625fd5a2258af906e6df8de/ome.git] on branch develop) fixing SecurityViolation? exception, close #8513
share needs to be deactivated when browsing regular data
comment:13 Changed 12 years ago by Aleksandra Tarkowska <A.Tarkowska@…>
(In [4bddf8df4ffa7ed80e3c90fe711b8ac0ed681bfd/ome.git] on branch develop) adding extra parameters, see #8513
Moved from sprint 2012-04-10 (12)