Ticket #12094 (reopened Bug)

Opened 5 years ago

Last modified 3 years ago

Regression: LDAP users with Manager role cannot see private items in Plone 4.1 (works in 4.0)

Reported by: nutjob Owned by:
Priority: minor Milestone: 4.x
Component: General Version: 4.1
Keywords: ldap, zope, role, manager, regression Cc: davidjb, gnafou, mlarreategi@…

Description

Content in the default workflow that is in the "private" state should be visible in folder listings, catalog queries, etc., to authenticated users who have the "Manager" Zope role, even when such users are sourced from LDAP and the role is conferred by an LDAP-group-to-Zope-role mapping. Indeed, this is the case with Plone 4.0, and it works great: managers can see at a glance private items in red and published items in blue.

However, in Plone 4.1, this doesn't work anymore. In Plone 4.1, users from LDAP who have the "Manager" role do not see "private" content in folders. In folder contents, red items don't appear for such users at all.

LDAP-sourced users with the Manager role from an LDAP-group-to-Zope-role mapping should see such content.

Change History

comment:1 Changed 5 years ago by nutjob

  • Milestone changed from 4.1 to 4.2

FYI, here's how to reproduce this:

  1. Create a new buildout as follows:
[buildout]
extends = http://dist.aclark.net/build/plone/4.1.x/develop.cfg
[plone]
eggs += plone.app.ldap
zcml += plone.app.ldap
http-address = 1041
[versions]
python-ldap = 2.3.13

(The pin to 2.3.13 of Python LDAP makes it work on Mac OS X Lion.)

  1. Bootstrap, buildout, bin/plone fg.
  1. Visit  http://localhost:1041/ and create a new Plone site (logging in with the ZMI user admin/admin). Check the box by "LDAP support while you're here.
  1. Add a new page with any title, summary, and body text. Leave it in the private state. Notice how it appears in the globalnav tabs.
  1. Visit  http://localhost:1041/Plone/@@ldap-controlpanel and add an LDAP connection. Set the parameters and server settings as appropriate for your LDAP service.
  1. Visit  http://localhost:1041/Plone/acl_users/ldap-plugin/acl_users/manage_grouprecords and, under "Add LDAP group to Zope role mapping", map an LDAP group to the Zope role "Manager".
  1. Quit your browser (to deactivate the HTTP basic authentication with the Zope root user). With a fresh browser, visit  http://localhost:1041/Plone/ and log in as an LDAP user. Make sure you log in as a user who's in the group that you mapped in step 6 above.
  1. Notice how the page you made in step 4 does *not* appear in the globalnav tabs. It also doesn't appear in folder_contents.

Repeat all of the above, but change the buildout extends to  http://dist.aclark.net/build/plone/4.1.x/develop.cfg (and the port number to 1040 for side-by-side comparisons) and it'll work just fine. In step 8, the page does appear.

comment:2 Changed 5 years ago by nutjob

In the last paragraph, I meant "4.0.x".

comment:3 Changed 5 years ago by nutjob

Isolated LDAP server & Plone 4.0 + 4.1 for testing + reproduction are available at  https://github.com/nutjob4life/plone-ldap-bug

comment:4 Changed 5 years ago by nutjob

  • Priority changed from critical to minor

The actual cause seems to be https://dev.plone.org/plone/browser/Products.CMFPlone/trunk/Products/CMFPlone/CatalogTool.py?rev=48554 where if "Anonymous" appeared in the roles of the logged-in user, then it didn't matter what other roles were there; in _listAllowedRolesAndUsers, hannosch punts upon detecting Anonymous and returns that as the sole role.

NOTE: that this is going to bite plone.org itself as it uses "Anonymous" in its list of default user roles in its LDAP plugin (as of 2011-08-26T16:15:55).

(I can temporarily work around this by changing "Anonymous" to "Authenticated" in the default user roles, but I'm not sure what the security implications are of doing so.)

comment:5 Changed 5 years ago by davidjb

Aha, many thanks for the explanation. This explains why my Plone 4.1 install with LDAP enabled hasn't been working correctly!

In my use-cases of LDAP authentication, I'm not wanting to see everyone who can present valid credentials via LDAP (all 20,000 users in my organisation) having the Authenticated permission, as this will give some level of access within Plone. Like has been mentioned, I'm not sure of what someone can do with the Authenticated role. At very least, I see 'Set own properties' as a permission granted to this role, giving access to add/edit the user's user profile with biography and also 'Reply to item' -- seemingly the role for being able reply to discussion comments.

Can the the CatalogTool be changed to check to see whether Anonymous is the only role, or something to that extent?

comment:6 Changed 5 years ago by davidjb

  • Cc sk.random@… added

comment:7 Changed 5 years ago by davidjb

Fwiw, I'm presently using this patch  http://pastie.org/2603659 as a workaround (solution?) to the issue.

comment:8 Changed 4 years ago by gnafou

  • Cc gnafou added

comment:9 Changed 4 years ago by erral

  • Cc mlarreategi@… added
  • Version set to 4.1
  • severity set to Untriaged

comment:10 Changed 4 years ago by eleddy

  • severity changed from Untriaged to Normal

comment:11 Changed 4 years ago by kleist

  • Status changed from new to confirmed
  • Keywords ldap, zope, role, manager, regression added; ldap zope role manager removed
  • Component changed from Infrastructure to General
  • Milestone changed from 4.2 to 4.x

comment:12 Changed 3 years ago by eleddy

  • Status changed from confirmed to closed
  • Resolution set to wontfix

This ticket has not been modified in over 9 months. In another brazen attempt to clean this tracker up, this is closed. If you really, REALLY care about this ticket, please re-verify that it is still an issue on the current supported releases (4.2 or 4.3) and reopen. Better yet, submit a pull request to fix the bug and then close the bug properly. We <3 you and all of your effort, but we can't go on like this anymore. I hope you aren't too mad and we can still be friends. Hugs.

comment:13 Changed 3 years ago by themask96

  • Status changed from closed to reopened
  • Resolution wontfix deleted

I've just tested this in Plone 4.3 and can confirm that this is still an issue. The patch added in comment 7 by davidjb seems to solve the issue. I don't know if the patch will brake anything else. I hope this can be solved for older versions like Plone 4.1 (which why I found this ticket and had the same issue).

comment:14 Changed 3 years ago by davidjb

  • Cc davidjb added; sk.random@… removed

I'm using the patch with Plone 4.3 and as best I can tell, there are no side effects on anything else at this stage. However, this isn't categorical. I'm happy to put a pull request together, but I'd like to get some feedback - especially on whether any other PAS plugins, built in or otherwise, may be affected.

Note: See TracTickets for help on using tickets.