Move story yield "project not visible"

From time to time moving a story yields "project xy is not visible". For a long time I did not found out why this happens. The user had ALL privileges - even though it happens from time to time. I tried to reproduce it on a non-production system with the original data, and I could not because it always worked fine! I only then debugged it on the production system and found out why it happens but not what the root cause is...

Let's say user John wants to move a story and he has all rights on the source and the destination project. Also let's assume that we have several other users (eg. also Jack) on the system (which is not the case in the non-production system). What happens is that John triggers the sendToClient(E entity) method in AGwtConversation in which the following code is executed:

if (!isEntityVisible(entity)) throw new PermissionDeniedException(entity + " is not visible");

isEntityVisible checks if the entity (the project) is visible for the user. Now the strange part happens: if you evaluate the user against which the permission is checked during the debugging session, not John appears but Jack!!!! I checked several times. If you look at the description of the thread it definitely says "...->John" but the user it is validated against IS Jack! It should be noted that there is a session that is live available for Jack but it is not the user that we are debugging (in fact Jack is not actively working at the system but the session is still available).

I hope I could make clear what the problem is.

Do you have any idea why the session of John holds a WebSession object of Jack against which the permission happens?

cheers
Stefan

PS: Btw, that's the explanation why it "always" works at the non-production system because there is only one user...

Status

Bug is fixed for Release 0.26.1. Needs to be tested.

Comments

Thu, Jul 10, 2014, 19:48 by Witek (SM,T)

Could not reproduce the problem yet, even with multiple users. Have added the session.toString() which contains the current user into the error message.

Thu, Jul 10, 2014, 19:53 by Witek (SM,T)

Ok, I got it and I am glad it is not an security issue ;-)

The onMoveRequirementToProject service call tries to send the changed project entity to all clients which are logged in. But this is false, since some clients may have users which have no permission to the destination project.

Fri, Jul 11, 2014, 08:59 by anonymous

Thanks for so quickly working on that subject and I am glad too it is not really a security issue. Do you have an idea when we could get a fix for it?

Thu, Sep 25, 2014, 16:27 by Stefan Höhn

I just noticed that probably this bug has even another effect: One of kunagi users added a comment to an issue and the user's, let's say mueller, comment was added not added as mueller's comment but newuser3, which is available in kunagi BUT disabled! Hence, we cannot believe anymore who is actually doing what as this information is not reliable.

Therefore please release a new version of kunagi soon as this bug has already been fixed and hopefully fixes that issue too.

Stefan

Post a comment



optional
optional