Ticket #13553 (confirmed Bug)

Opened 3 years ago

Last modified 3 years ago

catalog+anonymous = nothing

Reported by: dr460neye Owned by:
Priority: minor Milestone: 4.x
Component: Backend (Python) Version: 4.2
Keywords: catalog, ldap, security, roles, anonymous Cc:

Description

CatalogTool.py line 358

if 'Anonymous' in result:

# The anonymous user has no further roles return Anonymous?

Combination with ldap and temporary users.

f.e. you create user accounts which should get their total rolemapping by groups you get a big problem by this line of code.

the basic setup in ldap maps to 2 default roles: Anonymous,Member

If a user should not get any previleges after loggin in we changed the defaul roles to Anonymous only. All other privileges come from ldap groups and their mapping.

Now, at the source snippet you see, the catalog would not show their content to anyone who got the Anonymous role.

This have to change to an if statement like:

if singleRole('Anonymous',result):

# The anonymous user has no further roles return Anonymous?

this would not conflict and be performant. and it's possible that each nonauthorized can login but get no more privileges than everyone else.

Change History

comment:1 Changed 3 years ago by kleist

  • Status changed from new to confirmed
  • Component changed from Unknown to Backend (Python)
Note: See TracTickets for help on using tickets.