KarlAdmin cannot edit/delete blog entry/comment

Hopefully Chris M is thinking about this as he does his security rework. The problem is each blog entry has an ACL that does not allow KarlAdmin to do anything other than what any authenticated user can do. There are 2 obvious solutions: either each ACL needs to explicitly allow KarlAdmin to perform administration tasks, or we need to remove the NO_INHERIT flags from the ACLs. The first solution is more robust and predictable, so I prefer it, but it will increase the size of the database a bit.

Letting ChrisM in on the fun. Chris, you thinking about this?

--Paul

On Jul 31, 2009, at 7:33 PM, Shane Hathaway wrote:

> Hopefully Chris M is thinking about this as he does his security
> rework.
> The problem is each blog entry has an ACL that does not allow
> KarlAdmin
> to do anything other than what any authenticated user can do. There
> are
> 2 obvious solutions: either each ACL needs to explicitly allow
> KarlAdmin
> to perform administration tasks, or we need to remove the NO_INHERIT
> flags from the ACLs. The first solution is more robust and
> predictable,
> so I prefer it, but it will increase the size of the database a bit.
>
> --
> KarlAdmin cannot edit/delete blog entry/comment
> https://bugs.launchpad.net/bugs/407011
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: New
>
> Bug description:
> We recently had a bunch of out-of-office messages flood the KARL
> Feedback community's blog:
>
> https://karl.soros.org/communities/karl-feedback-community/blog/
>
> Nat would like to delete this using nborland which should (I
> believe) have KarlAdmin rights. However, he doesn't see Edit/Delete
> as actions.

I'm a little confused about "remove the 'NO_INHERITS'" in Shane's sentence
below, but I think I know what's going on.

The current set of workflow states for blog entries and blog comments are
"inherits", "private", and "public". "Inherits" is the state that all mailed-in
comments will be in (comments added through the web will be in the public state,
which is very different, because the two methods aren't symmetrical; don't ask).

The "inherits" state for comments explicitly denies everyone the ('edit',
'delete') permission. But this is different than NO_INHERITS (which denies
everyone all permissions).

If you mean that the ACL should look like this:

(Allow, ob.creator, MEMBER_PERMS),
(Allow, 'group.KarlAdmin', ADMINISTRATOR_PERMS),
(Deny, Everyone, ('edit', 'delete')

Then yeah, definitely, I've already made that change on my branch.

On 7/31/09 9:26 PM, Paul Everitt wrote:
>
> Letting ChrisM in on the fun. Chris, you thinking about this?
>
> --Paul
>
> On Jul 31, 2009, at 7:33 PM, Shane Hathaway wrote:
>
>> Hopefully Chris M is thinking about this as he does his security rework.
>> The problem is each blog entry has an ACL that does not allow KarlAdmin
>> to do anything other than what any authenticated user can do. There are
>> 2 obvious solutions: either each ACL needs to explicitly allow KarlAdmin
>> to perform administration tasks, or we need to remove the NO_INHERIT
>> flags from the ACLs. The first solution is more robust and predictable,
>> so I prefer it, but it will increase the size of the database a bit.
>>
>> --
>> KarlAdmin cannot edit/delete blog entry/comment
>> https://bugs.launchpad.net/bugs/407011
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>> Status in Porting KARL to a new architecture: New
>>
>> Bug description:
>> We recently had a bunch of out-of-office messages flood the KARL
>> Feedback community's blog:
>>
>> https://karl.soros.org/communities/karl-feedback-community/blog/
>>
>> Nat would like to delete this using nborland which should (I believe)
>> have KarlAdmin rights. However, he doesn't see Edit/Delete as actions.
>

Chris McDonough wrote:
> If you mean that the ACL should look like this:
>
> (Allow, ob.creator, MEMBER_PERMS),
> (Allow, 'group.KarlAdmin', ADMINISTRATOR_PERMS),
> (Deny, Everyone, ('edit', 'delete')
>
> Then yeah, definitely, I've already made that change on my branch.

Exactly. It sounds like your branch will have the nice side effect of
closing this bug. Cool.

Shane

Move to next week. This is part of landing workflow.

Let's move this to next week.

As a stopgap until Chris M finishes his merge of the workflow stuff, I've gone ahead and updated the acl's in the 'inherits' workflow state to include KarlAdmin users, and I've created an evolve script to update existing acl's. When updating OSI, we will need to run the bin/evolve script to clean up existing acl's.

This change is in OSI's Karl only--I can port this to other partners too, if we like. Once we upgrade everyone to Chris M's new workflow stuff, this stopgap will no longer be needed.

The original reported was Eurasia, so they'll need it to. I think
Oxfam also has a case where a blog got polluted with vacation messages.

--Paul

On Aug 19, 2009, at 2:48 PM, Chris Rossi wrote:

> As a stopgap until Chris M finishes his merge of the workflow stuff,
> I've gone ahead and updated the acl's in the 'inherits' workflow state
> to include KarlAdmin users, and I've created an evolve script to
> update
> existing acl's. When updating OSI, we will need to run the bin/evolve
> script to clean up existing acl's.
>
> This change is in OSI's Karl only--I can port this to other partners
> too, if we like. Once we upgrade everyone to Chris M's new workflow
> stuff, this stopgap will no longer be needed.
>
> ** Changed in: karl3
> Status: In Progress => Fix Committed
>
> --
> KarlAdmin cannot edit/delete blog entry/comment
> https://bugs.launchpad.net/bugs/407011
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in KARL3: Fix Committed
>
> Bug description:
> We recently had a bunch of out-of-office messages flood the KARL
> Feedback community's blog:
>
> https://karl.soros.org/communities/karl-feedback-community/blog/
>
> Nat would like to delete this using nborland which should (I
> believe) have KarlAdmin rights. However, he doesn't see Edit/Delete
> as actions.

Ok, everybody has the update now. Everyone will require running bin/evolve --latest to update existing ACLs.

I still don't see this option when I go to delete a stray post. Even if I type delete into the URL bar manually, I still get a forbidden screen. The thing happened when Jason tried to delete a post. Is there a trick to getting this to work?

Chris, was there anything that we were supposed to run in production
to make this option re-appear?

--Paul

On Aug 31, 2009, at 5:45 PM, Nat Katin-Borland wrote:

> I still don't see this option when I go to delete a stray post.
> Even if
> I type delete into the URL bar manually, I still get a forbidden
> screen.
> The thing happened when Jason tried to delete a post. Is there a
> trick
> to getting this to work?
>
> --
> KarlAdmin cannot edit/delete blog entry/comment
> https://bugs.launchpad.net/bugs/407011
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in KARL3: Fix Released
>
> Bug description:
> We recently had a bunch of out-of-office messages flood the KARL
> Feedback community's blog:
>
> https://karl.soros.org/communities/karl-feedback-community/blog/
>
> Nat would like to delete this using nborland which should (I
> believe) have KarlAdmin rights. However, he doesn't see Edit/Delete
> as actions.

Hi Nat. I wasn't able to recreate this. That is, as moderator on
production, I was able to see the link to delete someone else's blog
comment. I was also able to go to the confirmation screen, and the
comment was actually deleted.

--Paul

On Aug 31, 2009, at 5:45 PM, Nat Katin-Borland wrote:

> I still don't see this option when I go to delete a stray post.
> Even if
> I type delete into the URL bar manually, I still get a forbidden
> screen.
> The thing happened when Jason tried to delete a post. Is there a
> trick
> to getting this to work?
>
> --
> KarlAdmin cannot edit/delete blog entry/comment
> https://bugs.launchpad.net/bugs/407011
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in KARL3: Fix Released
>
> Bug description:
> We recently had a bunch of out-of-office messages flood the KARL
> Feedback community's blog:
>
> https://karl.soros.org/communities/karl-feedback-community/blog/
>
> Nat would like to delete this using nborland which should (I
> believe) have KarlAdmin rights. However, he doesn't see Edit/Delete
> as actions.

Hi Paul,

Interestingly, this popped up for us again as well -- but in a different spot than the blog entry, etc., that we discussed previously. Please take a look at https://efnetwork.org/offices/epf/referencemanuals/hr/staff-directories/epf-armenia-staff-directory-as-of-january-2009.pdf/delete.html -- I'm having the same problem there with every admin login I try.

The Delete button does show up on .../epf-armenia-staff-directory-as-of-january-2009.pdf, but when I click it to get to /delete.html, I get the Forbidden screen.

-Erik
Eurasia Foundation

I'm not sure what's going on, but none of us are getting a delete option (Jason, Anthony or I) when we try to clean up blog posts that other user's have authored, something we used to be able to do as KARL admins...

Is the problem that you enabled this feature only for moderators not admins? If I go to a community where I am a moderator, then I can delete other user's posts. As a site admin, however, I need to be able to delete stray posts/comments even when I'm not an official moderator in the community.

Correct, Erik at Eurasia reported something similar. I made you a
subscriber to this issue so you could see his comments.

--Paul

On Sep 1, 2009, at 5:24 PM, Nat Katin-Borland wrote:

> I'm not sure what's going on, but none of us are getting a delete
> option
> (Jason, Anthony or I) when we try to clean up blog posts that other
> user's have authored, something we used to be able to do as KARL
> admins...
>
> ** Changed in: karl3
> Status: Fix Released => Incomplete
>
> --
> KarlAdmin cannot edit/delete blog entry/comment
> https://bugs.launchpad.net/bugs/407011
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in KARL3: Incomplete
>
> Bug description:
> We recently had a bunch of out-of-office messages flood the KARL
> Feedback community's blog:
>
> https://karl.soros.org/communities/karl-feedback-community/blog/
>
> Nat would like to delete this using nborland which should (I
> believe) have KarlAdmin rights. However, he doesn't see Edit/Delete
> as actions.