Permissions on Office New Forums Not Working

Hey Paul,

This bug has been sitting in the queue for almost a year. Did you ever follow-up on this? I was just cleaning up tickets in the OSF system and saw that I have a pending request to get back to a user related to this ticket.

Thanks,

Crap, I didn't put this in a milestone and thus it fell off the radar. I'll ask Carlos to take a look at it.

Carlos, can you spend a little time this week investigating? I suspect you can test this out on staging. If you need more background, reply to this ticket so Nat and I can reply.

I want to understand the problem. Is it that the inherit acl radio button value is always "Disabled" even after trying to change to "Enabled"? Is something else not working right? Can you give an example of an action that is not working?

Nat, I think I’ve forgotten as well. Was it that changes to the ACL on the screen never got saved? Or was it that it saved, but didn’t have the security effect?

—Paul

> On Mar 29, 2016, at 6:00 PM, Carlos de la Guardia <email address hidden> wrote:
>
> I want to understand the problem. Is it that the inherit acl radio
> button value is always "Disabled" even after trying to change to
> "Enabled"? Is something else not working right? Can you give an example
> of an action that is not working?
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> New
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

I'll have to double check. I think the problem is that new forums weren't inheriting the correct permissions, but it's been so long I have to look into it.

-Nat

Sent with Good (www.good.com)

-----Original Message-----
From: Paul Everitt [<email address hidden><mailto:<email address hidden>>]
Sent: Wednesday, March 30, 2016 07:16 AM Eastern Standard Time
To: Nathaniel Katin-Borland
Subject: Re: [Bug 1450132] Permissions on Office New Forums Not Working

Nat, I think I’ve forgotten as well. Was it that changes to the ACL on
the screen never got saved? Or was it that it saved, but didn’t have the
security effect?

—Paul

> On Mar 29, 2016, at 6:00 PM, Carlos de la Guardia <email address hidden> wrote:
>
> I want to understand the problem. Is it that the inherit acl radio
> button value is always "Disabled" even after trying to change to
> "Enabled"? Is something else not working right? Can you give an example
> of an action that is not working?
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> New
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1450132

Title:
  Permissions on Office New Forums Not Working

Status in KARL4:
  New

Bug description:
  The ACL permissions on Office News Forums don't seem to be properly
  inheriting. Paul and I attempted to update permissions at the
  following link, with no success:

  https://karl.soros.org/offices/budapest/forums/budapest-
  news/edit_acl.html

  Please investigate.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

First problem I found is that the form always shows inherit acl as disabled. Fixed that.

Locally, the form appears to work correctly. If there are any other problems, please let me know.

Very good, thanks! I’ll get this on staging over the weekend so Nat can test.

—Paul

> On Apr 1, 2016, at 12:26 AM, Carlos de la Guardia <email address hidden> wrote:
>
> First problem I found is that the form always shows inherit acl as
> disabled. Fixed that.
>
> Locally, the form appears to work correctly. If there are any other
> problems, please let me know.
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> New
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

Just rolled this into production.

Re-opening, Nat said: "I attempted to re-add the group.FeatureAdmins to get the correct permissions, but it still doesn't seem to be working..."

Ok, maybe I'm missing something here, but there doesn't seem to be any group.featureAdmins anywhere in the code. I tested assigning acls to a simple KarlStaff user and it worked. Did we remove the group at some point or does that work in a way in which I'm not familiar?

Nat, can I get with you this week to do a Skype shared screen? I can then give Carlos exactly what you are doing.

—Paul

> On May 7, 2016, at 2:30 AM, Carlos de la Guardia <email address hidden> wrote:
>
> Ok, maybe I'm missing something here, but there doesn't seem to be any
> group.featureAdmins anywhere in the code. I tested assigning acls to a
> simple KarlStaff user and it worked. Did we remove the group at some
> point or does that work in a way in which I'm not familiar?
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> In Progress
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

What I think Nat is doing is going to the edit acl page and adding allow rules for group.featureAdmin. What I'm saying is that there is no such group, or at least I don't know where it is defined.

If I add a new user to a group such as group.KarlStaff and add an allow rule for that user using the same screen, the rule works, so there seems to be something wrong with the group, not the acl page.

The group is defined via the GSA sync, not in the code. We allow OSF to make custom groupings in content.

—Paul

> On May 8, 2016, at 12:21 PM, Carlos de la Guardia <email address hidden> wrote:
>
> What I think Nat is doing is going to the edit acl page and adding allow
> rules for group.featureAdmin. What I'm saying is that there is no such
> group, or at least I don't know where it is defined.
>
> If I add a new user to a group such as group.KarlStaff and add an allow
> rule for that user using the same screen, the rule works, so there seems
> to be something wrong with the group, not the acl page.
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> In Progress
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

So, how can I check if a user has this group from Karl?

I suspect the groups for a user is stored on the user object, right? Just open bin/debug on staging and grab the object.

Nat got with me an hour ago and gave me a walkthrough on what’s happening. I recorded the screen so I could put it somewhere (let me know if it would help). In a nutshell:

- He showed me how, in GSA, he adds a user AndyHaupert to the FeatureAdmins group

- He then logs in as that user and goes to a post in /offices/budapest/forums/budapest.news

- That user doesn’t see the “Edit” or “Delete” actions on a post

- As KarlAdmin, though, the ACL looks correct

So the diagnosis appears to either be:

- That user should be in the group, but isn’t

- The template/view code which shows the actions, isn’t correctly doing has_permission

—Paul

> On May 9, 2016, at 3:30 PM, Carlos de la Guardia <email address hidden> wrote:
>
> So, how can I check if a user has this group from Karl?
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> In Progress
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

Ok, thanks for the clues. Had to debug for a while, but now I know what happens.

The issue is that all forum posts have (Deny, Everyone, ('edit', 'delete')) in the local acl, which in effect prevents inheritance of parent's acls. The Pyramid authorization policy returns a Deny as soon as it reaches this acl, and never even attempts to check the parents. This comes from the workflow definitions.

I suggest we change the default workflow for forums to either remove the no inherit acl or include an Allow for group.FeatureAdmins before that. This same behavior will also show up in blog posts and comments. This change would require walking up to every post and changing the local acl.

Makes sense….Blogs were designed to only let KarlAdmin and the author do editing. Forums were derived from blogs, but we later changed it to have group management of forums. Thus, we should leave blog posts the way they are.

I’m surprised that *posts* have the deny in the *local* ACL. IMO, the deny should be inherited from the container, and on the class not the instance.

—Paul

> On May 10, 2016, at 1:26 AM, Carlos de la Guardia <email address hidden> wrote:
>
> Ok, thanks for the clues. Had to debug for a while, but now I know what
> happens.
>
> The issue is that all forum posts have (Deny, Everyone, ('edit',
> 'delete')) in the local acl, which in effect prevents inheritance of
> parent's acls. The Pyramid authorization policy returns a Deny as soon
> as it reaches this acl, and never even attempts to check the parents.
> This comes from the workflow definitions.
>
> I suggest we change the default workflow for forums to either remove the
> no inherit acl or include an Allow for group.FeatureAdmins before that.
> This same behavior will also show up in blog posts and comments. This
> change would require walking up to every post and changing the local
> acl.
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> In Progress
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

What would be the next action here?

I think based on comment #18, should we remove (Deny, Everyone, ('edit', 'delete')) from Forum Posts?

Maybe you and I will have talk this one through.

Carlos, think you can wrap this one up this week?

Yes, I will.
Carlos de la Guardia

      From: Paul Everitt <email address hidden>
 To: <email address hidden>
 Sent: Tuesday, May 24, 2016 6:09 AM
 Subject: [Bug 1450132] Re: Permissions on Office New Forums Not Working

Carlos, think you can wrap this one up this week?

--
You received this bug notification because you are a bug assignee.
https://bugs.launchpad.net/bugs/1450132

Title:
  Permissions on Office New Forums Not Working

Status in KARL4:
  In Progress

Bug description:
  The ACL permissions on Office News Forums don't seem to be properly
  inheriting.  Paul and I attempted to update permissions at the
  following link, with no success:

  https://karl.soros.org/offices/budapest/forums/budapest-
  news/edit_acl.html

  Please investigate.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

Carlos has a fix ready for this, need to test on staging.

Nat reports frequent problems with staging have made this impossible to test. Staging works for me, so not sure how to proceed.

Let’s punt on this until after Aug 14.

—Paul

> On Jul 29, 2016, at 4:26 AM, Carlos de la Guardia <email address hidden> wrote:
>
> Nat reports frequent problems with staging have made this impossible to
> test. Staging works for me, so not sure how to proceed.
>
> ** Changed in: karl4
> Status: In Progress => Fix Committed
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

Nat, I think we now know that the problems are related to the weird database issues on staging. I think we can find a way to work around that, just to finish this ticket. Should we try to close this in the remainder of August, or is the priority lower?

This is not more important than the Archive to Box fixes, but if we want to knock off this small issue it's fine with me. HR is waiting on the fix, but it's not more important than Archive to Box or password changes.

Nat, want me to push this to October?

Yes, this is fine to push!

I can’t quite remember if I did the last part, where I run a script to do the ACL removals. I’ll run that again on staging if Nat doesn’t mind testing again.

This is actually already deployed in production, we just haven’t run that command-line script.

—Paul

> On Sep 1, 2016, at 5:28 PM, Nat Katin-Borland <email address hidden> wrote:
>
> Yes, this is fine to push!
>
> --
> You received this bug notification because you are subscribed to KARL4.
> Matching subscriptions: KARL4
> https://bugs.launchpad.net/bugs/1450132
>
> Title:
> Permissions on Office New Forums Not Working
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> The ACL permissions on Office News Forums don't seem to be properly
> inheriting. Paul and I attempted to update permissions at the
> following link, with no success:
>
> https://karl.soros.org/offices/budapest/forums/budapest-
> news/edit_acl.html
>
> Please investigate.
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1450132/+subscriptions

Carlos, can we do this one (and the continuation byte thing) this week?

Nat, is this still an issue?

I believe this is still an issue, but I'm not sure I can actually test this myself anymore with all the login restrictions. I think I'll have to enlist someone to help me test because I can't ghost users anymore.

-Nat

@nborland Should I just close this?

Yes, we can just declare defeat on this:)