Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ACLs ineffective in geographic map

Description

Steps to reproduce:

1. Provision a subset of geo-enabled nodes into a surveillance category "Test" that is visible to a group "testing" that a non-admin user exclusively belongs to. Omit at least one geo-enabled node from this category.

2. Log in as the non-admin user verify that only the subset of nodes in the "Test" category are visible in the node list

3. Still logged in as the non-admin user, navigate to the geographical map.

Expected result: Nodes displayed in geo-map are restricted as in the node list

Actual result: All nodes with geo-data are displayed

Beyond the geo-maps issue, it now appears (at least for a develop snapshot built on 16 Jan 2015) that ACLs are no longer being enforced at the DAO level. For instance, a non-admin user can now see a node that should be off-limits simply by changing the value of the "node" URL query parameter to element/node.jsp.

Environment

Any instance with ACLs enabled and configured and lat/lon asset fields for nodes

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Alejandro Galue January 30, 2015 at 2:05 PM

That is good news, thanks!

Donald Desloge January 30, 2015 at 1:35 PM

The fix is pretty isolated in the MapWidgetComponent and easily cherry-picked.

Alejandro Galue January 30, 2015 at 1:21 PM

May I ask why 16 ? I think 14.0.4 and 15.0.1 should have this. I mean, this is a bug fix not a new feature

Donald Desloge January 29, 2015 at 3:30 PM

Updated to now respect the ACLs.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDuty

Created January 23, 2015 at 10:58 AM
Updated January 30, 2015 at 2:05 PM
Resolved January 29, 2015 at 3:30 PM