DL Group Access problem?

Ok, I've cleared all private data in the Mozilla Firefox browser and then performed the following:

Opened Mozilla Firefox 2. Gone to Silva on arana (test Zope instance), logging in using a local Silva account (Zope manager level) as opposed to an account initially created via LDAP. Opened up a second tab, going to the Silva web page on arana that pulls in the DL links.

The result is that the access controlled link is displayed on the page. However, it shouldn't be displayed because I haven't logged in using LDAP at all. Therefore, the access controlled link is presumably being displayed because of the Silva manager role login (in the first tab), and not because of who I am logged in as (via LDAP) or what groups I belong to (in LDAP) - because I'm not logged in via LDAP.

If I repeat the above exercise (clearing the private data again) but login to the DL (and am thus authenticated against LDAP)), then the access controlled link does not appear if I try to view the web page via a second tab in the same browser.

This has now got me concerned that the LDAP authentication and Group Access part of the DL is not working properly? Is using different tabs in the same browser session a good enough test of this?

The easiest way to test is to use two browsers. But you can login in one, create a new tab, logout, and login in again and compare. This takes more steps but it does make it easy to compare just by switching tabs.

Logging in via Zope where you're assigned a manager role will give you all rights.

** High Priority **

In IE v6, I cleared all private data (cookies, temp files, etc) from the browser. I then visited the web page on arana and couldn't see the access controlled link. This is as I would expect, as the browser doesn't know who I am so it only shows those links available to EVERYBODY.

Next, I change the URL in the same browser window and login to the document library that contains the document I'm trying to see. I then change the URL again in the same browser, to visit the web page on arana again. I perform a browser refresh just in case and I still don't see the access controlled link.

Now to Mozilla Firefox v2. I cleared all private data in Mozilla then accessed the web page. It didn't show the link (as you would expect). I then cleared private data again and quit the browser completely. I then fired it up again, but this time logged in to the relevant DL that contains the document. I then opened a second tab in the same browser in the same session and visited the web page on arana. The document link is NOT shown.

I'm 99% sure that this proves that access control via LDAP and groups isn't working. This is a huge problem for us. It appears that our previous testing was affected by the Zope Manager role credentials being able to see everything regardless.

This needs to be investigated as a matter of urgency. This is a key component to the DL LDAP additions which we thought was working, but obviously isn't.

Martijn, can you look at this tomorrow? (forwarding this by email as well)

Hoi,

On Nov 15, 2007 10:43 AM, Launchpad Bug Tracker
<email address hidden> wrote:
> What is going on? Is this a browser caching problem or is the whole
> access controlled/group access thing not working correctly?

In order to see the access controlled info in Silva, you do need to be
logged into Silva. You did try this: if you logged into Silva with one
tab (or previously in the same tab), accessed controlled links you
have access to should show up in the page, even if it's a public web
page. It's odd that it works in one scenario and doesn't in another.

It could very well be a cache. Try reloading the page with your shift
key pressed down; that triggers a harder refresh in your browser.

If that doesn't help, Eric and I will look into this, probably
thursday next week. Note that I'd like some more information about
this in that case: the URL in Silva where it doesn't work correctly
for you, and the URL to the document in the DL which is restricted to
the group. We also would need a user account in LDAP that is member of
any group, preferably DL-isd. Add this to the list of LDAP accounts
I've requested previously for testing the email issue. :)

Martijn,

We have cleared all caches in both IEv6 and Mozilla Firefox 2.x and we are still not seeing access controlled links in either browser. Currently the only way to see them is to be logged into Silva in the same browser session.

The details are as follows:

The arana 'staff' DL has a currently available document called 'Installing & Configuring New Silva Instances' which is for members of the LDAP group DL-ISD only. I am a member of this group so I should be seeing the link if I am logged into the DL and then go to the web page or open a second tab and go to the web page.

I have amended this document so it is for members of the LDAP group Test_Group. I will email Martijn a valid username and password for this group later this morning so he can try logging into the DL and then accessing the document via /uob_staff_test/isd on arana.

I'm confused a little, but I don't think this is true:

"I am a member of this group so I should be seeing the link if I am logged into the DL and then go to the web page or open a second tab and go to the web page."

The two servers, DL and Silva, are completely separate, so Silva has no (and *can't* have any) knowledge of whether or not you are authenticated with the DL. You will need to login to Silva with the LDAP account. If you've done that, and still do not see the link, then there's a bug. I've read through the whole thread but I'm not sure that that is what's currently happening.

Okay, time to try and clarify a few assumptions from our end:

A Silva page will only show 'access controlled' DL links if it knows who the viewer of the web page is (via LDAP authentication). Is this correct?

At present, the only way a Silva-generated web page on arana could know the identity of the viewer is if it is getting this authentication information from the browser's current session (i.e. the viewer has logged into the DL using their network username and password (via LDAP) and have then opened up a second tab and accessed the web page from there). Is this correct?

If these assumptions are correct, then 'access controlled' document links aren't working.

Okay, here is some more information that might be relevant:

I had a 'Silva Simple Member' account within the uob_staff_test/Members folder. I have no idea where this came from but it was the only user account like it within that folder.

I also had a locally created Silva account in the acl_users folder in the Zope root on arana. There had a separate stand alone Silva password, and it gave me the Manager role in any Silva instance on arana.

As far as I am aware, neither of these accounts were created as a result of interrogating LDAP in Silva on arana.

Anyway, I created a new local Silva user account in the uob_staff_test/Members folder called ploverxyzzy and gave it the Zope manager role. I then deleted both of the previously mentioned accounts.

If I then go into the Silva instance uob_staff_test as ploverxyzzy and try and do a search for users (which is presumably going via LDAP) then I always fail to get any search results back. It seems as if the LDAP functionality in Silva on arana is no longer working. This used to work fine.

Could the above therefore help explain why we've not seen any access controlled links using LDAP?

"At present, the only way a Silva-generated web page on arana could know the identity of the viewer is if it is getting this authentication information from the browser's current session (i.e. the viewer has logged into the DL using their network username and password (via LDAP) and have then opened up a second tab and accessed the web page from there). Is this correct?"

No, I don't think so: the servers are different, running on different urls, and so cannot look in eachother's sessions. The only way the Silva-generated webpage can know the identity of the viewer is if the viewer is logged into *Silva*.

Okay, then the LDAP side of Silva is probably broken (see my other email for details).

After our recent LDAP issues, I should point out that this is still not working correctly... :-(

If I login to Silva using my usual network login, I can access the /uob_staff_test/isd index page in Silva to edit it.

If I open a new tab in the same browser (Mozilla Firefox 2.0.xx) and access the generated /uob_staff_test/isd page, I see a number of DL links but I should also see an 'access controlled' document link which is only viewable to the LDAP group 'DL-ISD' (of which I am a member). Unfortunately, that document (Installing and Configuring new Silva instances) isn't showing up!

Okay, this was related to the incorrect label FullName (rather than fullName). It seems to be working again now - I hope!