DL Group Access problem?

Bug #162670 reported by Richard H.
2
Affects Status Importance Assigned to Milestone
Document Library
New
Undecided
Martijn Faassen

Bug Description

I'll try to investigate more thoroughly, but I have just noticed that an 'access controlled' document link that I should be able to see on a page on arana isn't appearing. In Mozilla Firefox 2, I log into the DL in the first browser tab. I then open a second tab in the same browser and go to a web page created in Silva that contains DL links. The document in question has group access set to 'DL-isd' (an LDAP group that I have membership of) so I should be seeing it, but the link doesn't appear here.

What makes this confusing is that I have some bookmarks in Mozilla Firefox that open up about 6-7 tabs relating to the DL (the DL itself, Zope, Silva, the atom feed, and so on). If I view the links in one of the tabs in this scenario, then I *can* see the access controlled link. I login twice when these tabs are loaded up - once into the DL and the second time into Silva using a local Silva account. I thought it might be the local Silva account so I tried firing up the browser and logging into Silva with one tab, then going to the web page with the links in another tab. Unfortunately the 'access controlled' link still didn't appear.

What is going on? Is this a browser caching problem or is the whole access controlled/group access thing not working correctly?

Revision history for this message
Richard H. (richard-hewison) wrote :

Ok, I've cleared all private data in the Mozilla Firefox browser and then performed the following:

Opened Mozilla Firefox 2. Gone to Silva on arana (test Zope instance), logging in using a local Silva account (Zope manager level) as opposed to an account initially created via LDAP. Opened up a second tab, going to the Silva web page on arana that pulls in the DL links.

The result is that the access controlled link is displayed on the page. However, it shouldn't be displayed because I haven't logged in using LDAP at all. Therefore, the access controlled link is presumably being displayed because of the Silva manager role login (in the first tab), and not because of who I am logged in as (via LDAP) or what groups I belong to (in LDAP) - because I'm not logged in via LDAP.

If I repeat the above exercise (clearing the private data again) but login to the DL (and am thus authenticated against LDAP)), then the access controlled link does not appear if I try to view the web page via a second tab in the same browser.

This has now got me concerned that the LDAP authentication and Group Access part of the DL is not working properly? Is using different tabs in the same browser session a good enough test of this?

Revision history for this message
Kit Blake (kitblake) wrote :

The easiest way to test is to use two browsers. But you can login in one, create a new tab, logout, and login in again and compare. This takes more steps but it does make it easy to compare just by switching tabs.

Logging in via Zope where you're assigned a manager role will give you all rights.

Revision history for this message
Richard H. (richard-hewison) wrote : [Bug 162670] Re: DL Group Access problem?

** High Priority **

In IE v6, I cleared all private data (cookies, temp files, etc) from the browser. I then visited the web page on arana and couldn't see the access controlled link. This is as I would expect, as the browser doesn't know who I am so it only shows those links available to EVERYBODY.

Next, I change the URL in the same browser window and login to the document library that contains the document I'm trying to see. I then change the URL again in the same browser, to visit the web page on arana again. I perform a browser refresh just in case and I still don't see the access controlled link.

Now to Mozilla Firefox v2. I cleared all private data in Mozilla then accessed the web page. It didn't show the link (as you would expect). I then cleared private data again and quit the browser completely. I then fired it up again, but this time logged in to the relevant DL that contains the document. I then opened a second tab in the same browser in the same session and visited the web page on arana. The document link is NOT shown.

I'm 99% sure that this proves that access control via LDAP and groups isn't working. This is a huge problem for us. It appears that our previous testing was affected by the Zope Manager role credentials being able to see everything regardless.

This needs to be investigated as a matter of urgency. This is a key component to the DL LDAP additions which we thought was working, but obviously isn't.

Revision history for this message
Eric Casteleijn (thisfred) wrote :

Martijn, can you look at this tomorrow? (forwarding this by email as well)

Changed in documentlibrary:
assignee: nobody → faassen
Revision history for this message
Martijn Faassen (faassen) wrote : Re: [Bug 162670] DL Group Access problem?

Hoi,

On Nov 15, 2007 10:43 AM, Launchpad Bug Tracker
<email address hidden> wrote:
> What is going on? Is this a browser caching problem or is the whole
> access controlled/group access thing not working correctly?

In order to see the access controlled info in Silva, you do need to be
logged into Silva. You did try this: if you logged into Silva with one
tab (or previously in the same tab), accessed controlled links you
have access to should show up in the page, even if it's a public web
page. It's odd that it works in one scenario and doesn't in another.

It could very well be a cache. Try reloading the page with your shift
key pressed down; that triggers a harder refresh in your browser.

If that doesn't help, Eric and I will look into this, probably
thursday next week. Note that I'd like some more information about
this in that case: the URL in Silva where it doesn't work correctly
for you, and the URL to the document in the DL which is restricted to
the group. We also would need a user account in LDAP that is member of
any group, preferably DL-isd. Add this to the list of LDAP accounts
I've requested previously for testing the email issue. :)

Revision history for this message
Richard H. (richard-hewison) wrote :

Martijn,

We have cleared all caches in both IEv6 and Mozilla Firefox 2.x and we are still not seeing access controlled links in either browser. Currently the only way to see them is to be logged into Silva in the same browser session.

The details are as follows:

The arana 'staff' DL has a currently available document called 'Installing & Configuring New Silva Instances' which is for members of the LDAP group DL-ISD only. I am a member of this group so I should be seeing the link if I am logged into the DL and then go to the web page or open a second tab and go to the web page.

I have amended this document so it is for members of the LDAP group Test_Group. I will email Martijn a valid username and password for this group later this morning so he can try logging into the DL and then accessing the document via /uob_staff_test/isd on arana.

Revision history for this message
Eric Casteleijn (thisfred) wrote :

I'm confused a little, but I don't think this is true:

"I am a member of this group so I should be seeing the link if I am logged into the DL and then go to the web page or open a second tab and go to the web page."

The two servers, DL and Silva, are completely separate, so Silva has no (and *can't* have any) knowledge of whether or not you are authenticated with the DL. You will need to login to Silva with the LDAP account. If you've done that, and still do not see the link, then there's a bug. I've read through the whole thread but I'm not sure that that is what's currently happening.

Revision history for this message
Richard H. (richard-hewison) wrote : [Bug 162670] Re: DL Group Access problem?

Okay, time to try and clarify a few assumptions from our end:

A Silva page will only show 'access controlled' DL links if it knows who the viewer of the web page is (via LDAP authentication). Is this correct?

At present, the only way a Silva-generated web page on arana could know the identity of the viewer is if it is getting this authentication information from the browser's current session (i.e. the viewer has logged into the DL using their network username and password (via LDAP) and have then opened up a second tab and accessed the web page from there). Is this correct?

If these assumptions are correct, then 'access controlled' document links aren't working.

Revision history for this message
Richard H. (richard-hewison) wrote :

Okay, here is some more information that might be relevant:

I had a 'Silva Simple Member' account within the uob_staff_test/Members folder. I have no idea where this came from but it was the only user account like it within that folder.

I also had a locally created Silva account in the acl_users folder in the Zope root on arana. There had a separate stand alone Silva password, and it gave me the Manager role in any Silva instance on arana.

As far as I am aware, neither of these accounts were created as a result of interrogating LDAP in Silva on arana.

Anyway, I created a new local Silva user account in the uob_staff_test/Members folder called ploverxyzzy and gave it the Zope manager role. I then deleted both of the previously mentioned accounts.

If I then go into the Silva instance uob_staff_test as ploverxyzzy and try and do a search for users (which is presumably going via LDAP) then I always fail to get any search results back. It seems as if the LDAP functionality in Silva on arana is no longer working. This used to work fine.

Could the above therefore help explain why we've not seen any access controlled links using LDAP?

Revision history for this message
Eric Casteleijn (thisfred) wrote :

"At present, the only way a Silva-generated web page on arana could know the identity of the viewer is if it is getting this authentication information from the browser's current session (i.e. the viewer has logged into the DL using their network username and password (via LDAP) and have then opened up a second tab and accessed the web page from there). Is this correct?"

No, I don't think so: the servers are different, running on different urls, and so cannot look in eachother's sessions. The only way the Silva-generated webpage can know the identity of the viewer is if the viewer is logged into *Silva*.

Revision history for this message
Richard H. (richard-hewison) wrote :

Okay, then the LDAP side of Silva is probably broken (see my other email for details).

Revision history for this message
Richard H. (richard-hewison) wrote :

After our recent LDAP issues, I should point out that this is still not working correctly... :-(

If I login to Silva using my usual network login, I can access the /uob_staff_test/isd index page in Silva to edit it.

If I open a new tab in the same browser (Mozilla Firefox 2.0.xx) and access the generated /uob_staff_test/isd page, I see a number of DL links but I should also see an 'access controlled' document link which is only viewable to the LDAP group 'DL-ISD' (of which I am a member). Unfortunately, that document (Installing and Configuring new Silva instances) isn't showing up!

Revision history for this message
Richard H. (richard-hewison) wrote :

Okay, this was related to the incorrect label FullName (rather than fullName). It seems to be working again now - I hope!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.