Bug #16538

workbench 2 should not allow sharing "write" or "manage" to all users group

Added by Peter Amstutz 5 months ago. Updated 3 months ago.

Status:
Rejected
Priority:
Normal
Assigned To:
-
Category:
Workbench2
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Related issues

Related to Arvados - Story #15372: Revise group permissions to separate them from permissions on managed objectsNew

History

#1 Updated by Peter Amstutz 5 months ago

  • Category set to API

#2 Updated by Tom Clegg 5 months ago

  • Assigned To set to Tom Clegg

#3 Updated by Tom Clegg 5 months ago

  • Status changed from New to In Progress

#4 Updated by Tom Clegg 5 months ago

One known example where the current user's UUID is missing from writable_by:
  • user A creates a collection and shares (read+write) with the "all users" role group
  • user B gets the collection
  • user B's uuid is missing from writable_by

This is correct because the collection is not, in fact, writable by user B. The "all users" role membership (added by user setup) is read-only.

#5 Updated by Tom Clegg 5 months ago

Since this seems to be the only known case, it seems the real bug is that "share R+W with All Users" just doesn't do what it sounds like, because the "All Users" role is a special role that intentionally behaves differently from other roles (multi-tenant means users can't necessarily see one another merely because they have been setup).

The solution may be to prevent Workbench from offering to share with the special All Users role beyond read-only.

#6 Updated by Tom Clegg 5 months ago

  • Related to Story #15372: Revise group permissions to separate them from permissions on managed objects added

#7 Updated by Peter Amstutz 5 months ago

  • Target version changed from 2020-07-01 Sprint to 2020-07-15

#8 Updated by Tom Clegg 4 months ago

  • Target version changed from 2020-07-15 to 2020-08-12 Sprint

#9 Updated by Peter Amstutz 3 months ago

  • Target version changed from 2020-08-12 Sprint to 2020-08-26 Sprint

#10 Updated by Tom Clegg 3 months ago

  • Target version changed from 2020-08-26 Sprint to 2020-09-09 Sprint

#11 Updated by Peter Amstutz 3 months ago

  • Subject changed from current user appears in writable_by if user can actually write to the project to workbench should not allow sharing "write" or "manage" to all users group

#12 Updated by Peter Amstutz 3 months ago

  • Category changed from API to Workbench2
  • Subject changed from workbench should not allow sharing "write" or "manage" to all users group to workbench 2 should not allow sharing "write" or "manage" to all users group

#13 Updated by Tom Clegg 3 months ago

  • Assigned To deleted (Tom Clegg)
  • Status changed from In Progress to New

#14 Updated by Peter Amstutz 3 months ago

  • Target version changed from 2020-09-09 Sprint to 2020-09-23 Sprint

#15 Updated by Peter Amstutz 3 months ago

  • Status changed from New to Rejected

#16 Updated by Peter Amstutz 3 months ago

  • Target version deleted (2020-09-23 Sprint)

Also available in: Atom PDF