Hi all,
Thanks for weighing in.
RE: *Issue 3:* No Recode of existing passwords Digest -> Strong PBE
I’ve checked the docs and I can’t find any reference to the “Recode existing
passwords”. You access the page by editing an existing “User Group Service”
and then changing the “Password encryption” dropdown. It gives you the option
to recode the existing passwords to the new encryption type. By looking at the
XML you can see the prefixes changing from `crypt2:` to ` digest1` ("Strong
PBE" to "Digest"). However the reverse doesn’t occur (going from ("Digest" to
"Strong PBE").
Ok, so unless I hear otherwise I’ll raise 4 tickets:
1. GROUP_ADMIN being able to disable & change non-group members, for:
a. *Issue 1:* Disabling non-group users:
b. *Issue 2:* Changing non-group users passwords
2. No Recode of existing passwords Digest -> Strong PBE
a. *Issue 3:* No Recode of existing passwords Digest -> Strong PBE
3. Delete user not in different groups (unhandled exception)
a. *Issue 4:* Delete user not in different groups (unhandled exception)
4. Delete user not in any groups
a. *Issue 5:* Delete user not in any groups
Thanks for your help.
Rob
From: Christian Mueller [mailto:[email protected]]
Sent: 19 April 2017 10:08
To: Justin Deoliveira <[email protected]>
Cc: Andrea Aime <[email protected]>; Langford, Robert
<[email protected]>; GeoServer Mailing List List
<[email protected]>
Subject: Re: [Geoserver-users] Possible bug GROUP_ADMIN deleting users
Hi all
Sounds like a bug.
@Justin, as far as I can remember I never contributed some code to the Group
Admin concept, I think you invented this feature for a customer. Maybe I am
wrong here.
Cheers
On Wed, Apr 19, 2017 at 4:18 AM, Justin Deoliveira
<[email protected]<mailto:[email protected]>> wrote:
On Tue, Apr 18, 2017 at 3:11 AM Andrea Aime
<[email protected]<mailto:[email protected]>> wrote:
On Thu, Apr 6, 2017 at 1:52 PM, Rob L
<[email protected]<mailto:[email protected]>> wrote:
Done some more testing now I'm certain I've found further issues; these have
only been tested with the "Default XML user/group service"
Create 2 groups:
1. group-1
2. group-2
Create 3 users
1. group-1-user ; member of group-1 ; add role GROUP_ADMIN
2. group-2-user ; member of group-2
3. no-group-user
*Issue 1:* Disabling non-group users:
- Log in to webGUI as group-1-user (GROUP_ADMIN)
- Open group-2-user
- Un-tick the "Enabled" check box
- Click save -> Error message: "An error occurred while saving the user:
User [...] is member of group(s) not administered by current user and cant
be modified."
- Navigate back to user list (or press "Cancel")
- group-2-user now doesn't have the "Enabled" tick and cannot log in
Bug.
*Issue 2:* Changing non-group users passwords (occurred when Password
encryption=Digest, didn't affect Strong PBE):
- Log in to webGUI as group-1-user (GROUP_ADMIN)
- Open group-2-user
- Change the password
- Click save -> Error message: "An error occurred while saving the user:
User [...] is member of group(s) not administered by current user and cant
be modified."
- Navigate back to user list (or press "Cancel")
- group-2-user tries to log on and gets HTTP 500: "No password decoder for"
This one seems to be in the same ticket as the above one.
*Issue 3:* No Recode of existing passwords Digest -> Strong PBE
- Passwords in users.xml aren't re-encoded going from "Digest" to "Strong
PBE" (however going from "Strong PBE" to "Digest" does)
I'm lost here, how does this happen? Changing the setting in the global UI or
is it something group specific too?
Also, what would be the expected behavior according to docs (if any)?
*Issue 4:* Delete user not in different groups (unhandled exception)
- Log in to webGUI as group-1-user (GROUP_ADMIN)
- Check group-2-user and click "Remove Selected" and then confirm
- JavaScript "Do you want to leave this site.." warning appears, click
"Leave"
- Get "Oops, something went wrong..." page
Probably a separate ticket.
*Issue 5:* Delete user not in any groups (maybe not a bug but seems strange)
- Log in to webGUI as group-1-user (GROUP_ADMIN)
- Check no-group-user and click "Remove Selected" and then confirm
- User is deleted
Unsure, I've cc'ed who I believe is the original author(s) to get info on the
expected
behavior. Rob, you could also check the documentation and see if the behavior
with
anything declared there.
Yeah, I would say this is probably a bug. If I remember the original intention
it was that a group admin should only be able to do things related to the group
they are the admin of. So really that means just add and remove users from the
group. Christian probably has a better recollection than I though.
Cheers
Andrea
--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313<tel:+39%200584%20962313>
fax: +39 0584 1660272<tel:+39%200584%20166%200272>
mob: +39 339 8844549<tel:+39%20339%20884%204549>
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo
è consentito esclusivamente al destinatario del messaggio, per le finalità
indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne
il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di
procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro
sistema. Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse,
costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the
attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act (Legislative
Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in
accord with its purpose, any disclosure, reproduction, copying, distribution,
or either dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the intended
recipient, please contact immediately the sender by telephone, fax or e-mail
and delete the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content, accuracy
or completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
-------------------------------------------------------
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
DISCLAIMER: The information contained in this communication/message from
[email protected] sent on Thu Apr 20 10:38:57 2017 is confidential.
It is intended solely for the addressee(s)
[email protected];[email protected];[email protected]
Access to this message by anyone else is unauthorised. If you are not the
intended recipient, any disclosure, copying, or distribution of the message, or
any action or omission taken by you in reliance on it, is prohibited and may be
unlawful.
As a public body, Salford City Council may be required to disclose this email
[or any response to it] under the Freedom of Information Act 2000, unless the
information in it is covered by one of the exemptions in the Act.
Please immediately contact the sender, [email protected] if you have
received this message in error.
For the full disclaimer please access http://www.salford.gov.uk/e-mail. Thank
you.------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
