Details
-
Bug
-
Resolution: Fixed
-
Minor
-
2.4.0, 2.3.0.patch
-
None
Description
When a non-wheel user, with admin privileges but no explicit update privilege on a group, tries to remove that group via a subject page, using the checkboxes and the "Remove selected groups" button, the error is flashed:
Error: group has errors removing 1 members, and successfully removed 1 members
This looks like it just needs a change in UiV2Subject.removeGroups, with a group.hasUpdate(loggedInSubject) changed to a group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false). That fixed it for me when testing locally. There is another usage of hasUpdate in removeGroup, but I didn't test that one.
The "successfully removed 1 members" on an error is also a bug, since it wasn't an actual success. I think the successes++ line should be moved to the inner block, right after group.deleteMember() is called.
Steps to reproduce (unicon grouper-demo Docker image – I used tag 2.3.0-2017-01-30):
1) As user banderson/password, log into http://192.168.99.100:8080/grouper
2) Add adoe as an admin of group courses:ACCT101
3) In a separate browser, log in as adoe/password
3) search user "asmith" and open the subject page
4) check checkbox for group ACCT101
5) Click Remove selected groups
Result: Error: group has errors removing 1 members, and successfully removed 1 members
Potential patch:
--- a/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
|
+++ b/grouper-ui/java/src/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Subject.java
|
@@ -805,7 +805,7 @@ public class UiV2Subject { |
|
@Override |
public Object callback(GrouperSession grouperSession) throws GrouperSessionException { |
- if (group.hasUpdate(loggedInSubject)) { |
+ if (group.canHavePrivilege(loggedInSubject, AccessPrivilege.UPDATE.getName(), false)) { |
return true; |
}
|
return false; |
@@ -816,9 +816,9 @@ public class UiV2Subject { |
failures++;
|
} else { |
group.deleteMember(membership.getMember(), false); |
+ successes++;
|
}
|
|
- successes++;
|
} catch (Exception e) { |
LOG.warn("Error with membership: " + membershipId + ", user: " + loggedInSubject, e); |
failures++;
|