CMDBuild Forum

[BUG][Security] "None" grant on classes causes exposure of merged permissions

Old Versions
#1

When merging two groups permissions I've came across this bug. On a group when selecting "Read" or "Write" permissions and set it back to "None" has different behaviour than just leaving the default "None" value unchanged from the beginning. 

Checking the "Grant" table on the database we can see that when a value was selected and then back to "None" a row like the following is persisted:

255879;""Grant"";"";"2016-04-20 12:50:38.483";"";"";"A";"";255604;""CLASSNAME"";"-";"Class";;"";"{}";"create=true,modify=true,clone=true,remove=true"

When no value at all is select no "Grant" row is present.

How to reproduce:

  • Create a Class A
  • Add two cards to it one with the code X and other Y
  • Create a Group X_Only
  • At the Permissions tab open the row level permissions and set a filter for Code equals X
  • Add a new user to the Group (When listing class A you will only see card X)
  • Now add a second group called NoPermissions
  • Add the user to it and on the user select a default group
  • After relogin with that user, you will continue to see only the X card
  • On the permissions tab for the NoPermissions group select "Read" and back to "None" on the A class.
  • After relogin with that user, you will see both X and Y

I was looking at the source code hoping to be able to produce a patch but it appears to be way more complicated to pin point than I can afford.

If you need some more info on how to reproduce the problem just let me know. Btw is there a better way to report issues?

Regards,

RS

#2
Dear Ruben,
 
thank you so much for your submissinon. We've verified the issue and we'll fix it for the version 2.4.1.
 
Best regards.
 
-- CMDBuild Team
 
Previously Ruben wrote:

When merging two groups permissions I've came across this bug. On a group when selecting "Read" or "Write" permissions and set it back to "None" has different behaviour than just leaving the default "None" value unchanged from the beginning. 

Checking the "Grant" table on the database we can see that when a value was selected and then back to "None" a row like the following is persisted:

255879;""Grant"";"";"2016-04-20 12:50:38.483";"";"";"A";"";255604;""CLASSNAME"";"-";"Class";;"";"{}";"create=true,modify=true,clone=true,remove=true"

When no value at all is select no "Grant" row is present.

How to reproduce:

  • Create a Class A
  • Add two cards to it one with the code X and other Y
  • Create a Group X_Only
  • At the Permissions tab open the row level permissions and set a filter for Code equals X
  • Add a new user to the Group (When listing class A you will only see card X)
  • Now add a second group called NoPermissions
  • Add the user to it and on the user select a default group
  • After relogin with that user, you will continue to see only the X card
  • On the permissions tab for the NoPermissions group select "Read" and back to "None" on the A class.
  • After relogin with that user, you will see both X and Y

I was looking at the source code hoping to be able to produce a patch but it appears to be way more complicated to pin point than I can afford.

If you need some more info on how to reproduce the problem just let me know. Btw is there a better way to report issues?

Regards,

RS