Ticket #12094 (reopened Bug)
Regression: LDAP users with Manager role cannot see private items in Plone 4.1 (works in 4.0)
Reported by: | nutjob | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | General | Version: | 4.1 |
Keywords: | ldap, zope, role, manager, regression | Cc: | davidjb, gnafou, mlarreategi@… |
Description
Content in the default workflow that is in the "private" state should be visible in folder listings, catalog queries, etc., to authenticated users who have the "Manager" Zope role, even when such users are sourced from LDAP and the role is conferred by an LDAP-group-to-Zope-role mapping. Indeed, this is the case with Plone 4.0, and it works great: managers can see at a glance private items in red and published items in blue.
However, in Plone 4.1, this doesn't work anymore. In Plone 4.1, users from LDAP who have the "Manager" role do not see "private" content in folders. In folder contents, red items don't appear for such users at all.
LDAP-sourced users with the Manager role from an LDAP-group-to-Zope-role mapping should see such content.
Change History
comment:3 Changed 5 years ago by nutjob
Isolated LDAP server & Plone 4.0 + 4.1 for testing + reproduction are available at https://github.com/nutjob4life/plone-ldap-bug
comment:4 Changed 5 years ago by nutjob
- Priority changed from critical to minor
The actual cause seems to be https://dev.plone.org/plone/browser/Products.CMFPlone/trunk/Products/CMFPlone/CatalogTool.py?rev=48554 where if "Anonymous" appeared in the roles of the logged-in user, then it didn't matter what other roles were there; in _listAllowedRolesAndUsers, hannosch punts upon detecting Anonymous and returns that as the sole role.
NOTE: that this is going to bite plone.org itself as it uses "Anonymous" in its list of default user roles in its LDAP plugin (as of 2011-08-26T16:15:55).
(I can temporarily work around this by changing "Anonymous" to "Authenticated" in the default user roles, but I'm not sure what the security implications are of doing so.)
comment:5 Changed 5 years ago by davidjb
Aha, many thanks for the explanation. This explains why my Plone 4.1 install with LDAP enabled hasn't been working correctly!
In my use-cases of LDAP authentication, I'm not wanting to see everyone who can present valid credentials via LDAP (all 20,000 users in my organisation) having the Authenticated permission, as this will give some level of access within Plone. Like has been mentioned, I'm not sure of what someone can do with the Authenticated role. At very least, I see 'Set own properties' as a permission granted to this role, giving access to add/edit the user's user profile with biography and also 'Reply to item' -- seemingly the role for being able reply to discussion comments.
Can the the CatalogTool be changed to check to see whether Anonymous is the only role, or something to that extent?
comment:7 Changed 5 years ago by davidjb
Fwiw, I'm presently using this patch http://pastie.org/2603659 as a workaround (solution?) to the issue.
comment:9 Changed 4 years ago by erral
- Cc mlarreategi@… added
- Version set to 4.1
- severity set to Untriaged
comment:11 Changed 4 years ago by kleist
- Status changed from new to confirmed
- Keywords ldap, zope, role, manager, regression added; ldap zope role manager removed
- Component changed from Infrastructure to General
- Milestone changed from 4.2 to 4.x
comment:12 Changed 3 years ago by eleddy
- Status changed from confirmed to closed
- Resolution set to wontfix
This ticket has not been modified in over 9 months. In another brazen attempt to clean this tracker up, this is closed. If you really, REALLY care about this ticket, please re-verify that it is still an issue on the current supported releases (4.2 or 4.3) and reopen. Better yet, submit a pull request to fix the bug and then close the bug properly. We <3 you and all of your effort, but we can't go on like this anymore. I hope you aren't too mad and we can still be friends. Hugs.
comment:13 Changed 3 years ago by themask96
- Status changed from closed to reopened
- Resolution wontfix deleted
I've just tested this in Plone 4.3 and can confirm that this is still an issue. The patch added in comment 7 by davidjb seems to solve the issue. I don't know if the patch will brake anything else. I hope this can be solved for older versions like Plone 4.1 (which why I found this ticket and had the same issue).
comment:14 Changed 3 years ago by davidjb
- Cc davidjb added; sk.random@… removed
I'm using the patch with Plone 4.3 and as best I can tell, there are no side effects on anything else at this stage. However, this isn't categorical. I'm happy to put a pull request together, but I'd like to get some feedback - especially on whether any other PAS plugins, built in or otherwise, may be affected.
FYI, here's how to reproduce this:
(The pin to 2.3.13 of Python LDAP makes it work on Mac OS X Lion.)
Repeat all of the above, but change the buildout extends to http://dist.aclark.net/build/plone/4.1.x/develop.cfg (and the port number to 1040 for side-by-side comparisons) and it'll work just fine. In step 8, the page does appear.