#1373 closed defect (fixed)
Permission denied exception when viewing item that has inherited an annotation that a user has not permission to see
Reported by: | Jari Häkkinen | Owned by: | Nicklas Nordborg |
---|---|---|---|
Priority: | major | Milestone: | BASE 2.13.1 |
Component: | web | Version: | |
Keywords: | Cc: |
Description (last modified by )
The scenario:
UserA has a rawbioassay RBA derived from SampleA (path: SampleA -> ExtractA -> LabeledExtractA -> HybA -> ScanA -> RBA), all items are shared to UserB (R) except SampleA and RBA that is shared with (RUW).
UserB annotates SampleA with AnnotB (AnnotB is an annotation type owned by UserB and not shared with UserA). UserB creates an experiment ExpB including RBA and with AnnotB as experimental factor. Then user B automatically allows RBA to inherit the AnnotB from SampleA from the experiment properties view.
A problem occurs when UserA tries to view the properties of RBA (RBA will be displayed in rawbioassay list view), BASE replies
Permission denied: Not allowed to read Annotation type[id=xxx; name=AnnotB]
Suggested solution:
UserA should of course see RBA details but without knowing anything about inherited AnnotB. Note, UserA can look at SampleA details without seeing AnnotB as expected and desired. That is the same should apply when UserA looks at RBA.
IMPORTANT NOTE
The changes made to list_annotations.jsp
as part of this ticket in [5102] SHOULD NOT be merged to the trunk. The changes made in [5123] for ticket #1374 conflicts with the changes made in this ticket.
Change History (5)
comment:1 by , 15 years ago
Milestone: | → BASE 2.13.1 |
---|---|
Type: | enhancement → defect |
comment:2 by , 15 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 15 years ago
Summary: | Annotation acces should not limit annotated item access → Permission denied exception when viewing item that has inherited an annotation that a user has not permission to see |
---|
comment:4 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:5 by , 15 years ago
Description: | modified (diff) |
---|
Hmmm... the problem seems to be in the list_annotations.jsp script which is used to display the annotations for all items. The error will happen everytime an item has an inherited annotation with an annotation type that the logged in user doesn't have permission to.
There are a lot of error handling code in the list_annotations.jsp that seems to take care of exactly this situation, except that there is a call to
FormatterFactory.getAnnotationFormatter()
which is outside this error handling. For some reason this method is callingAnnotation.getAnnotationType()
which is the source of the exception. But... it seems like this call is not needed. The return value is not used... It may be a left-over line from some earlier code. I'll try to simply remove that line.