CMDBuild Forum

Bug in column permissions

Old Versions
#1

Dear team, 

I have detected a bug in column permissions. The problem is when a user is a member of more than one group.

Example:

Class A with columns a, b, c.

Group Editor can write to class A, but has read column restriction for column c (it is filled by trigger and can be modified only by super user).

Group Viewer can only read class A (or has none permission to class A - the result is the same) and there are no column restrictions set - why should be if the group can only read. 

User one is member of only group Editor - it is OK, he can edit columns a and b only.  

User two is member of only group Viewer - it is OK, he cannot edit any column.  

User three is member of both groups (Editor and Viewer) and is logged as "Multi group" - he can write to class A including column c, because: 
- the table permission is from the group Editor
- the column permission is from the group Viewer where are no column restrictions. 

It can be worked-around by setting of read column permission in the Viewer group, but it is not very logical to set column read restriction if the table permission is read or none. 

So, it is IMHO a bug - the column write permission can not be taken from group where the class permission is read or none. 

Similarly, the column read permission should not be taken from group where the class permission is none. 

Regards,
Jiří

 
#2
Dear Jiří,
 
thank you for your submission, we'll fix it as soon as possibile but after version 2.4.1 scheduled for the next week.
 
Best regards.
 
-- CMDBuild Team
 
Previously Jiří wrote:

Dear team, 

I have detected a bug in column permissions. The problem is when a user is a member of more than one group.

Example:

Class A with columns a, b, c.

Group Editor can write to class A, but has read column restriction for column c (it is filled by trigger and can be modified only by super user).

Group Viewer can only read class A (or has none permission to class A - the result is the same) and there are no column restrictions set - why should be if the group can only read. 

User one is member of only group Editor - it is OK, he can edit columns a and b only.  

User two is member of only group Viewer - it is OK, he cannot edit any column.  

User three is member of both groups (Editor and Viewer) and is logged as "Multi group" - he can write to class A including column c, because: 
- the table permission is from the group Editor
- the column permission is from the group Viewer where are no column restrictions. 

It can be worked-around by setting of read column permission in the Viewer group, but it is not very logical to set column read restriction if the table permission is read or none. 

So, it is IMHO a bug - the column write permission can not be taken from group where the class permission is read or none. 

Similarly, the column read permission should not be taken from group where the class permission is none. 

Regards,
Jiří