Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2146

When assigning roles, I can see roles that I cannot have assigned

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Cannot Reproduce
    • Affects Version/s: 3.0 (Newton), 3.4 (Heisenberg)
    • Fix Version/s: 3.4.1, 3.5 (Einstein)
    • Component/s: GUI
    • Labels:
      None

      Description

      I have configured security role with (among other settings):

              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
              <phase>request</phase>
              <object>
      	    <type>UserType</type>
      	    <filter>
      . . .
      	    </filter>
              </object>
              <target>
                      <type>RoleType</type>
                      <filter>
                              <q:equal>
                                      <q:path>requestable</q:path>
                                      <q:value>true</q:value>
                              </q:equal>
                      </filter>
              </target>
          </authorization>
      

      and

          <authorization>
              <decision>deny</decision>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <object>
                  <type>RoleType</type>
                  <filter>
                          <q:and>
                              <q:not>
                                  <q:equal>
                                      <q:path>name</q:path>
                                      <q:value>Support</q:value><!-- This causes this role to be assignable ! -->
                                  </q:equal>
                              </q:not>
                              <q:not>
                                  <q:equal>
                                      <q:path>name</q:path>
                                      <q:value>End user</q:value>
                                  </q:equal>
                              </q:not>
                              <q:not>
                                  <q:equal>
                                      <q:path>requestable</q:path>
                                      <q:value>true</q:value>
                                  </q:equal>
                              </q:not>
                          </q:and>
                  </filter>
              </object>
          </authorization>
      

      I can see all readable roles in assignment popup (assign role). I should only see the roles that I can assign.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vix Ivan Noris
              Reporter:
              vix Ivan Noris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: