Project

General

Profile

Actions

Bug #19139

closed

Regular users should not be able to create user records; creating a user does not make admin the "owner" of that user

Added by Peter Amstutz 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
07/14/2022
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-

Description

  • Regular users should not be able to create user records
  • creating a user should not "own" that user
    • should be owned by system

Subtasks 1 (0 open1 closed)

Task #19211: Review 19139-user-creation-fixesResolvedLucas Di Pentima07/14/2022

Actions
Actions #1

Updated by Peter Amstutz 3 months ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz 3 months ago

  • Target version changed from 2022-05-25 sprint to 2022-06-08 sprint
Actions #3

Updated by Peter Amstutz 3 months ago

  • Subject changed from Regular users should not be able to create user records; creating a user should not "own" that user to Regular users should not be able to create user records; creating a user does not make admin the "owner" of that user
Actions #5

Updated by Peter Amstutz 3 months ago

  • Target version changed from 2022-06-08 sprint to 2022-06-22 Sprint
Actions #6

Updated by Peter Amstutz 2 months ago

  • Target version changed from 2022-06-22 Sprint to 2022-07-06
Actions #7

Updated by Lucas Di Pentima about 2 months ago

  • Assigned To set to Lucas Di Pentima
Actions #8

Updated by Peter Amstutz about 1 month ago

  • Target version changed from 2022-07-06 to 2022-07-20
Actions #9

Updated by Lucas Di Pentima about 1 month ago

  • Status changed from New to In Progress
Actions #10

Updated by Lucas Di Pentima about 1 month ago

Updates at 70d97b9 - branch 19139-user-creation-fixes
Test run: developer-run-tests: #3233
WB1 integration re-run: developer-run-tests-apps-workbench-integration: #3475

  • Adds tests, one confirming that already non-admins cannot create users, the other exposing the bug about owner_uuid being assigned to non-system root users.
  • Fixes the bug by forcing that owner_uuid is always set to clsid-tpzed-000000000000000
Actions #11

Updated by Tom Clegg about 1 month ago

(medium) looks like the code handles this correctly, but still seems worthwhile to also test the case where the client specifies an owner_uuid, and it is ignored / replaced with the root uuid.

Rest LGTM, thanks!

Actions #12

Updated by Lucas Di Pentima about 1 month ago

Thanks for the suggestion! Added at e07a978 -- merging to main!

Actions #13

Updated by Lucas Di Pentima about 1 month ago

  • Status changed from In Progress to Resolved

Applied in changeset arvados-private:commit:arvados|e16ee88755436818cbed44dabb784d1d3254d469.

Actions

Also available in: Atom PDF