Certain OSI staff visible to affiliates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL3 |
Fix Released
|
Medium
|
Shane Hathaway |
Bug Description
Affiliates seem to be able to see OSI staff who have no community memberships. Having no communities seems to break the security settings.
Email trail:
-------
Hi Paul,
A sample of the 30 plus users includes:
Juan Aristi
Robert Basch
Julia Gordonna
Tom Penniston
Tamas Varga
They are all listed in GSA. They are not necessarily ‘affiliates’. Rather, they are staff from various parts of our organization.
Nat will enter this into Launch Pad.
Thanks.
-Anthony
-------
From: Paul E
Sent: Tuesday, August 04, 2009 6:37 AM
To: Nathaniel K-B
Cc: Jason L; Thomas M; KARL Admin
Subject: Re: personal log-in access to people
Yes, this should go into LP. We'll need to know a few of the 30 usernames you mention below.
Also, can we take a look in GSA and see if these 30 or so affiliate users exist there? This might show that it was a migration problem and not an ongoing problem. If so, a one-time content cleanup activity would do the trick.
--Paul
On Aug 3, 2009, at 3:46 PM, Nathaniel K-B wrote:
Hi All,
I logged on using my Affiliate Account and explored this issue for a while this afternoon and I think I see why certain users are visible in the People Directory even though we don’t share any communities. It seems that only users without any community memberships are visible. The 30 or so users that Jason identified below all have no communities. Is it possible that this is somehow allowing them to slip through KARL’s security framework? Should this be entered into Launchpad as a bug?
Thanks,
Nat
-------
From: Jason L
Sent: Monday, August 03, 2009 9:39 AM
To: Thomas M; KARL Admin
Subject: RE: personal log-in access to people
I did a little bit of investigation on this… The communities the user moroztom is a member of contain 43 (Media Freedom in Africa) + 13 (GrantTracker BP Implementation) + 1 (Tom Moroz Private) members for a total 58 members that should be visible to the user.
After testing some of the links in the people directory, I got a Forbidden error when loading up the actual profile for the person. It appears there is something out of sync in the indexing. I ran the reindex script on the people directory which brought the number of people visible in the people directory down to 88 (66% correct).
For the remaining 30 people moroztom should not be able to see, the few that I’ve found thus far appear to allow moroztom to view their profile. Since the profile is controlled outside of karl.peopledir, this part appears to be a bug in core KARL.
There are two paths to resolution going forward:
Research the 30 visible members and file a Launchpad bug for core KARL to fix the profile security issue if research proves it exists
As a safety measure, run the reindex script for karl.peopledir every night. I will try to set this up in the next few days.
- Jason
-------
From: Thomas M
Sent: Sunday, August 02, 2009 6:34 PM
To: KARL Admin
Subject: personal log-in access to people
Hi – I was exploring KARL today using my personal log-in (as opposed to OSI) and I found that when I clicked on People, I had access to 166 people, most of whom I do not know and are not sharing a community with 90% of them. Why does this happen? I think this raises some security concerns and we should explore how to make the People feature work properly for affiliate users.
Thanks,
Tom
Changed in karl3: | |
importance: | Undecided → Medium |
assignee: | nobody → Paul Everitt (paul-agendaless) |
Changed in karl3: | |
assignee: | Paul Everitt (paul-agendaless) → Shane Hathaway (shane-hathawaymix) |
milestone: | none → m26 |
Shane, think this is something you could work on later this week?