Project

General

Profile

Actions

Task #2965

closed

Some reports ignore permissions of the logged user

Added by Alena Peterová about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Tomáš Doischer
Target version:
Start date:
10/01/2021
Due date:
% Done:

100%

Estimated time:
Owner:

Description

When logged users have permissions to see only a part of identities in IdM (e.g. their subordinates), and they also have the permission to execute reports, then some of the reports will display all identities in IdM.
The affected reports include at least:
  • Identities and their role with complex combination with contracts attributes.
    (identity-role-complex-report)
  • Identities and their assigned roles changes
    (identity-role-changes-report)
  • Get users who start/end contract in specific time range
    (users-start-end)

Please check the reports so they evaluate permissions of the logged user.
(E.g. the report "Identities (identity-report)" displays the correct amount of data.)

Version: 2.2.1

Actions #2

Updated by Alena Peterová about 3 years ago

  • Description updated (diff)
Actions #3

Updated by Tomáš Doischer about 3 years ago

The report 'users-start-end' is from extras, so I created corresponding ticket #2976. But I can fix it together.

Actions #4

Updated by Tomáš Doischer about 3 years ago

  • Assignee set to Tomáš Doischer
  • Target version changed from 2.3.0 to 271

The issue is that 'null' is given as permission in find, it should always be 'IdmBasePermission.READ'. I will fix this.

Actions #5

Updated by Tomáš Doischer about 3 years ago

  • Status changed from New to In Progress

The issue is also in Identities and their password changes on a system (identity-password-changes-report).

Actions #6

Updated by Tomáš Doischer about 3 years ago

  • % Done changed from 0 to 50

Implemented but not yet fully tested. I added permissions check wherever I could see possible. By the way, this means that to see for example changes is roles, you must have permissions for audit. This makes sense to me but it could be surprising for some.

Branch: https://git.bcvsolutions.eu/modules/reports/-/tree/doischer/2965-add-permission-evaluation-to-reports

Actions #7

Updated by Tomáš Doischer about 3 years ago

  • % Done changed from 50 to 70

Finished testing the reports.

Right now, to use 'identity-role-changes-report' and 'identity-password-changes-report' you need to be able to read the provisiong archive. To use 'identity-role-changes-report' you need to able to read audit. Further discussion is needed to see if this is the way to go.

Actions #8

Updated by Tomáš Doischer about 3 years ago

  • Target version changed from 271 to 2.3.0
Actions #9

Updated by Roman Kučera about 3 years ago

I did review, LGTM.

Actions #10

Updated by Tomáš Doischer about 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 70 to 100

Released.

Actions #11

Updated by Tomáš Doischer about 3 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF