Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unpublished DvObjects' cards don't show for IpGroups contained within a group that has permission to view them. #3273

Closed
michbarsinai opened this issue Aug 12, 2016 · 12 comments
Closed

Unpublished DvObjects' cards don't show for IpGroups contained within a group that has permission to view them. #3273

michbarsinai opened this issue Aug 12, 2016 · 12 comments
Assignees
@kcondon
Labels
Type: Bug a defect UX & UI: Design This issue needs input on the design of the UI and from the product owner
Milestone
4.5.1 - IP Groups...

Comments

@michbarsinai
Copy link
Member

michbarsinai commented Aug 12, 2016
edited by djbrooke
Loading

Given a dataverse that:

  1. Contains unpublished Datasets
  2. Has an explicit group with Admin role (call that eg)
  3. eg has an IpGroup as a member (we'll call that ipg)

When a user logs in from an IP address that's a member of ipg, she does not see the card of the unpublished dataset. Note that when the role is assigned to ipg directly, these cards are shown.
@michbarsinai michbarsinai added UX & UI: Design This issue needs input on the design of the UI and from the product owner Type: Bug a defect labels Aug 12, 2016
@michbarsinai
Copy link
Member Author

@kcondon - is that right?

@kcondon
Copy link
Contributor

kcondon commented Aug 12, 2016
edited
Loading

Yes, that's right, thanks

@djbrooke djbrooke added this to the 4.6 - File Replace milestone Aug 15, 2016
@kcondon kcondon mentioned this issue Aug 15, 2016
Closed
@pdurbin
Copy link
Member

pdurbin commented Aug 19, 2016

Yesterday I replicated the problem (IP groups within explicit groups are not honored) but I'm blocked on having a new method to call to collects even more groups. From chatting with @michbarsinai in Slack it sounds like one should supply a RoleAssignee rather than a User to the method. My preference would be to have a working method first and then refactor all the search code as necessary. @michbarsinai can you supply the method? Unfortunately, I'm out until the first of September after today.

@pdurbin
Copy link
Member

pdurbin commented Aug 19, 2016

@michbarsinai as of 18e1037 in the 1380-honor-ip-groups this is how the method looks in GroupServiceBean that would need to be enhanced:

    public Set<Group> groupsFor( DataverseRequest dr ) {
        Set<Group> groups = new HashSet<>();

        // get the global groups
        groups.addAll( groupsFor(dr,null) );

        // add the explicit groups
        groups.addAll( explicitGroupService.findGroups(dr.getUser()) );

        return groups;
    }

That is to say, this is the method that SearchServiceBean relies on to gather as many groups as possible for the DataverseRequest in question.

Here's a handy link to the method above:

dataverse/src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java

Line 138 in 18e1037

public Set<Group> groupsFor( DataverseRequest dr ) {

Also related to "groups within groups" is this issue about MyData: #3056

This was referenced Aug 19, 2016
Closed
Closed
@pdurbin
Copy link
Member

pdurbin commented Aug 19, 2016

Oh, my other thought on this issue to simply stop supporting "groups within groups". They're a little buggy as currently implemented and I wonder if they're more trouble than they're worth.

@djbrooke djbrooke added the ready label Aug 31, 2016
@djbrooke djbrooke modified the milestones: 4.5.1 - IP Groups fixes, 4.6 - File Replace Aug 31, 2016
@djbrooke
Copy link
Contributor

djbrooke commented Sep 1, 2016

@michbarsinai - we are trying to get the IP Group fixes in 4.5.1 but this method update is blocking this issue. What are your thoughts? Do you have time to work on it or should we take a stab at it on this side? Thanks!

@michbarsinai
Copy link
Member Author

@djbrooke I was just talking (slacking?) with @pdurbin about this. I need to implement a method, will get it done by early next week.

@djbrooke
Copy link
Contributor

djbrooke commented Sep 2, 2016

@michbarsinai awesome! Thanks much.

@djbrooke djbrooke added in progress and removed ready labels Sep 2, 2016
michbarsinai added a commit that referenced this issue Sep 6, 2016
@michbarsinai
Added a method to flatten a collection of groups (re: #3273)
1766c05
@michbarsinai
Copy link
Member Author

Method implemented. As the groupsFor method is used twice, and I didn't want to break existing usages, I've added another method to the GroupServiceBean, called flattenGroupsCollection. Given a collection of groups, this method returns a stream of the groups in the collection and all their group descendants.

See unit test for sample usage. In the context of this issue, I think it would be enough to replace groupsFor(X) with flattenGroupsCollection(groupsFor(X)).

Unit test: https://github.com/IQSS/dataverse/blob/1380-honor-ip-groups/src/test/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBeanTest.java#L65

pdurbin added a commit that referenced this issue Sep 9, 2016
@pdurbin
ipGroup3.json got renamed to ipGroup-all.json #3273
2ada661
@pdurbin
Copy link
Member

pdurbin commented Sep 9, 2016

@michbarsinai I'm having good luck with the new collectAncestors method you added in 1c1c60b. Thanks! Unlike before, the following scenario now works:

  • scripts/api/data/ipGroup-all.json is used to create an IP group that matches all IP address (in the GUI you can find this group as &ip/ipGroup3 - "IP group to match all IPv4 and IPv6 addresses")
  • in an unpublished subdataverse, create an explicit group and add the IP group above as a member. This is a "group within a group"
  • assign the expicit group to the subdataverse with the admin role
  • confirm that cards the unpublished subdataverse and unpublished direct child datasets and their files are viewable anonymously
  • revoke that role and assign it at an unpublished dataset instead to confirm that the unpublished dataset card and its files are viewable anonymously

@michbarsinai there's still an issue the branch we're working on is behind "develop". Unfortunately, there are merge conflicts so pull request #3103 can't be merged. I'll take a swing at getting the branch up to date with "develop" and I'll ping you if I'm unclear about how to handle any of the merge conflicts.

pdurbin added a commit that referenced this issue Sep 9, 2016
@pdurbin
Merge branch 'develop' into 1380-honor-ip-groups #3103 #3273
80268c3 
Conflicts:
src/main/java/edu/harvard/iq/dataverse/api/Admin.java
src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java
src/test/java/edu/harvard/iq/dataverse/util/json/JsonParserTest.java

As of 1f5fcfe and earlier (not sure how far back) this branch cannot be
merged with develop since develop advanced with the release of 4.5 (pull
request #3308 especially was merged in).

A simple `git merge develop` yielded merge conflics, especially with
JsonPrinter.java and I was unable to resolve them using Netbeans. (I had
to run `git merge --abort` after three attempts.) I decided to revert
JsonPrinter.java to its state in 4.5 with
`git checkout dc58ae1
src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java` and
then manually copy the changes needed to get the app to compile from the
`1380-honor-ip-groups` branch (specifically
https://github.com/IQSS/dataverse/blob/2ada66142fd8fca3a61da4db46268cfba650e4a9/src/main/java/edu/harvard/iq/dataverse/util/json/JsonPrinter.java
). I tried to get all the changes but it's possible I missed some.
`public static JsonObjectBuilder json( IpGroup grp )` especially had
some changes having to do with `List<List<String>> ranges =
grp.getRanges().stream().filter( rng -> !rng.isSingleAddress()` and
such. It looks like this change happened in a336475. The commit message
starts with "IP group json format now supports single addresses". I
opened #3340 to revisit this part of the code or at least to test and
document how it's supposed to work.

Meanwhile, I tested #3273 which is what I'm actually working on and the
"groups within groups" bug seems to be fixed both before and after the merge.
@pdurbin
Copy link
Member

pdurbin commented Sep 9, 2016

Ok, resolving the merge conflict was pretty thorny and resulting in me opening #3340 and leaving a long comment in 80268c3 to explain what I did but both and before and after the merge this issue seems to have been fixed. Please see my last comment about "groups within groups" for how I've been testing. Passing to QA.

@pdurbin pdurbin removed their assignment Sep 9, 2016
@pdurbin pdurbin assigned kcondon and unassigned michbarsinai Sep 9, 2016
@kcondon kcondon removed their assignment Sep 9, 2016
@kcondon kcondon assigned kcondon and unassigned pdurbin Sep 9, 2016
@kcondon
Copy link
Contributor

kcondon commented Sep 9, 2016

OK, tested and it works now.

@kcondon kcondon closed this as completed Sep 9, 2016
@kcondon kcondon removed the Status: QA label Sep 9, 2016
@pdurbin pdurbin mentioned this issue Sep 12, 2016
Closed
@michbarsinai michbarsinai mentioned this issue Sep 12, 2016
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kcondon kcondon

Labels
Type: Bug a defect UX & UI: Design This issue needs input on the design of the UI and from the product owner
Projects
None yet
Milestone
4.5.1 - IP Groups fixes
Development

No branches or pull requests
4 participants
@pdurbin @michbarsinai @kcondon @djbrooke