Context Navigation

← Previous Ticket
Next Ticket →

Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.

Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8513 (closed)

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

BUG Security Violation while login as non-admin user

Reported by:	atarkowska	Owned by:	atarkowska
Priority:	blocker	Milestone:	OMERO-4.4
Component:	Web	Version:	n.a.
Keywords:	n.a.	Cc:	web-team@…
Resources:	n.a.	Referenced By:	n.a.
References:	n.a.	Remaining Time:	0.0d
Sprint:	2012-04-24 (13)

Description (last modified by atarkowska)

2012-04-09 14:53:59,876 DEBUG [                           omero.gateway] (proc.01446) _createProxies:1455 ## Creating proxies
2012-04-09 14:53:59,894 WARNI [                           omero.gateway] (proc.01446) debug:3137 SecurityViolation on <class 'webclient.webclient_gateway.OmeroWebSafeCallWrapper'> to <bafc550a-81a3-4d69-b9bb-94849b232ce2omero.api.IQuery> findByQuery(('select distinct obj from Experimenter as obj left outer join fetch obj.groupExperimenterMap as map left outer join fetch map.parent g where obj.id in (:ids)', object #0 (::omero::sys::Parameters)
{
    map = 
    {
        key = ids
        value = object #1 (::omero::RList)
        {
            _val = 
            {
                [0] = object #2 (::omero::RLong)
                {
                    _val = 52
                }
            }
        }
    }
    theFilter = <nil>
    theOptions = <nil>
}, {'omero.share': '9401'}), {})
Traceback (most recent call last):
  File "/Users/ola/Dev/omero/dist/lib/python/omero/gateway/__init__.py", line 3155, in __call__
    return self.f(*args, **kwargs)
  File "/Users/ola/Dev/omero/dist/lib/python/omero_api_IQuery_ice.py", line 133, in findByQuery
    return _M_omero.api.IQuery._op_findByQuery.invoke(self, ((query, params), _ctx))
SecurityViolation: exception ::omero::SecurityViolation
{
    serverStackTrace = ome.conditions.SecurityViolation: User 52 cannot access share 9401
	at ome.security.basic.BasicEventContext.checkAndInitialize(BasicEventContext.java:132)
	at ome.security.basic.CurrentDetails.checkAndInitialize(CurrentDetails.java:235)
	at ome.security.basic.BasicSecuritySystem.loadEventContext(BasicSecuritySystem.java:336)
	at ome.security.basic.EventHandler.invoke(EventHandler.java:118)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at $Proxy75.findByQuery(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor290.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:98)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at $Proxy75.findByQuery(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:179)
	at ome.services.throttling.Callback.run(Callback.java:56)
	at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56)
	at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:137)
	at ome.services.blitz.impl.QueryI.findByQuery_async(QueryI.java:92)
	at sun.reflect.GeneratedMethodAccessor375.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at omero.cmd.CallContext.invoke(CallContext.java:59)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
	at $Proxy76.findByQuery_async(Unknown Source)
	at omero.api._IQueryTie.findByQuery_async(_IQueryTie.java:113)
	at omero.api._IQueryDisp.___findByQuery(_IQueryDisp.java:342)
	at omero.api._IQueryDisp.__dispatch(_IQueryDisp.java:508)
	at IceInternal.Incoming.invoke(Incoming.java:159)
	at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
	at Ice.ConnectionI.message(ConnectionI.java:972)
	at IceInternal.ThreadPool.run(ThreadPool.java:577)
	at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)

    serverExceptionClass = ome.conditions.SecurityViolation
    message = User 52 cannot access share 9401
}

References

Referenced by:
← User Story (#6342): Connection provider and decorators in webclient

Change History (13)

comment:1 Changed 12 years ago by atarkowska

Cc web-team@… added
Component changed from General to Web
Description modified (diff)

comment:2 Changed 12 years ago by atarkowska

Priority changed from minor to blocker

comment:3 Changed 12 years ago by jburel

Sprint changed from 2012-04-10 (12) to 2012-04-24 (13)

Moved from sprint 2012-04-10 (12)

comment:4 Changed 12 years ago by jmoore

Ola, can you give me the commit/branch that this was tested on?

comment:5 Changed 12 years ago by jmoore

Owner changed from jmoore to atarkowska

Ola, sorry, I was wrong. This does look to be implemented (I might have been looking at the wrong branch myself when I told you so). This test is currently passing for me:

diff --git a/components/tools/OmeroPy/test/integration/ishare.py b/components/tools/OmeroPy/test/integration/ishare.py
index c55549e..57950cc 100644
--- a/components/tools/OmeroPy/test/integration/ishare.py
+++ b/components/tools/OmeroPy/test/integration/ishare.py
@@ -788,6 +788,28 @@ class TestIShare(lib.ITest):
         self.assertRaises(omero.SecurityViolation, \
             self.client.sf.getQueryService().get, "Image", -1, {"omero.share":"-100"})
 
+    def test8513(self):
+        owner, owner_obj = self.new_client_and_user(perms="rw----") # Owner of share
+        member, member_obj = self.new_client_and_user(perms="rw----") # Different group!
+
+        share = owner.sf.getShareService()
+        sid = self.create_share(share, objects=[], experimenters=[owner_obj, member_obj])
+
+        self.assertAccess(owner, sid)
+        self.assertAccess(member, sid)
+
+        # And the member should be able to use omero.share:sid
+        member_query = member.sf.getQueryService()
+        rv = member_query.find("Image", -1, {"omero.share":"%s" % sid})
+        self.assertEquals(None, rv)
+
+        ### Note: The following fails with a security violation since
+        ### it is expected that the user first check the contents of
+        ### the share and then load those values.
+        ### =========================================================
+        ## rv = member_query.findAll("Image", None, {"omero.share":"%s" % sid})
+        ## self.assertEquals(0, len(rv))

Any thoughts?

comment:6 Changed 12 years ago by atarkowska

Status changed from new to accepted

comment:7 Changed 12 years ago by atarkowska

Remaining Time set to 0.2

comment:8 Changed 12 years ago by atarkowska

Remaining Time changed from 0.2 to 0
Status changed from accepted to closed

comment:12 Changed 12 years ago by Aleksandra Tarkowska <A.Tarkowska@…>

Resolution set to fixed

(In [051911e9413f48301625fd5a2258af906e6df8de/ome.git] on branch develop) fixing SecurityViolation? exception, close #8513

share needs to be deactivated when browsing regular data

comment:13 Changed 12 years ago by Aleksandra Tarkowska <A.Tarkowska@…>

(In [4bddf8df4ffa7ed80e3c90fe711b8ac0ed681bfd/ome.git] on branch develop) adding extra parameters, see #8513

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

Download in other formats: