Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#1373 closed defect (fixed)

Permission denied exception when viewing item that has inherited an annotation that a user has not permission to see

Reported by: jari Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 2.13.1
Component: web Version:
Keywords: Cc:

Description (last modified by Nicklas Nordborg)

The scenario:

UserA has a rawbioassay RBA derived from SampleA (path: SampleA -> ExtractA -> LabeledExtractA -> HybA -> ScanA -> RBA), all items are shared to UserB (R) except SampleA and RBA that is shared with (RUW).

UserB annotates SampleA with AnnotB (AnnotB is an annotation type owned by UserB and not shared with UserA). UserB creates an experiment ExpB including RBA and with AnnotB as experimental factor. Then user B automatically allows RBA to inherit the AnnotB from SampleA from the experiment properties view.

A problem occurs when UserA tries to view the properties of RBA (RBA will be displayed in rawbioassay list view), BASE replies

Permission denied: Not allowed to read Annotation type[id=xxx; name=AnnotB]

Suggested solution:

UserA should of course see RBA details but without knowing anything about inherited AnnotB. Note, UserA can look at SampleA details without seeing AnnotB as expected and desired. That is the same should apply when UserA looks at RBA.

IMPORTANT NOTE

The changes made to list_annotations.jsp as part of this ticket in [5102] SHOULD NOT be merged to the trunk. The changes made in [5123] for ticket #1374 conflicts with the changes made in this ticket.

Change History (5)

comment:1 Changed 11 years ago by Nicklas Nordborg

Milestone: BASE 2.13.1
Type: enhancementdefect

Hmmm... the problem seems to be in the list_annotations.jsp script which is used to display the annotations for all items. The error will happen everytime an item has an inherited annotation with an annotation type that the logged in user doesn't have permission to.

There are a lot of error handling code in the list_annotations.jsp that seems to take care of exactly this situation, except that there is a call to FormatterFactory.getAnnotationFormatter() which is outside this error handling. For some reason this method is calling Annotation.getAnnotationType() which is the source of the exception. But... it seems like this call is not needed. The return value is not used... It may be a left-over line from some earlier code. I'll try to simply remove that line.

comment:2 Changed 11 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:3 Changed 11 years ago by Nicklas Nordborg

Summary: Annotation acces should not limit annotated item accessPermission denied exception when viewing item that has inherited an annotation that a user has not permission to see

comment:4 Changed 11 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

(In [5102]) Fixes #1373: Permission denied exception when viewing item that has inherited an annotation that a user has not permission to see

comment:5 Changed 11 years ago by Nicklas Nordborg

Description: modified (diff)
Note: See TracTickets for help on using tickets.