[
https://jira.duraspace.org/browse/DS-562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Bollini resolved DS-562.
-------------------------------
Resolution: Fixed
I have reviewed the code and I have found a logic error that should produce bug
in condition like that are reported.
The logic is a little complex but much is due to
compatibility with old (pre 1.6) behaviour where there was a custom inheritance
of the WRITE
policy on collection (the canEdit() method). The bug that I have found is
located in the last check that don't need to be done if the user is authorized
by the old "canEdit" logic (WRITE or ADD policy on the collection or on any
parent communities).
Anyway, an user with only WRITE, ADD and ADMIN policy cannot delete a
collection by design.
It needs a REMOVE policy on the parent community.
Without the committed patch a community admin was not able to delete a
collection in her community with the default configuration (delegate
administration dspace.cfg section).
With the patched code an user with REMOVE policy on the community and WRITE,
ADD and ADMIN policy on the collection can remove the collection.
The WRITE policy on the collection is only needed if the property
core.authorization.collection-admin.template-item
is set to false (true by default). The ADD policy on the collection doesn't
matter. ADD or WRITE policy on the parent community give to the user the
ability to delete the template item of owning collections. This mean that an
user with REMOVE e WRITE permission on the community can delete collection with
item template within the community.
I have changed the title of the issue to better match all the pre-conditions
but if I have misunderstanding anything please feel free to re-open the issue
or create a new one and assing to me.
> User with WRITE, ADD and ADMIN policy on collection cannot delete that
> collection due to bug in
> AuthorizeUtil.authorizeManageTemplateItem(context,collection)
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DS-562
> URL: https://jira.duraspace.org/browse/DS-562
> Project: DSpace
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.6.0
> Reporter: Andrew Taylor
> Assignee: Andrea Bollini
> Fix For: 1.7.0
>
>
> During the process of deleting a collection a call is made to
> AuthorizeUtil.authorizeManageTemplateItem(context,collection) - line 289 of
> 1.6.0 code, which seems to contain a logic error in the way it checks the
> permissions.
> As it currently stands this method will only 'allow' if the user is a system
> admin or is an admin who cannot edit the collection (ie lacks the ADD or
> WRITE policy).
> This to me seems like it is broken but I will happily stand corrected if it
> is working as intended.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel
