Issue #58: After RC 2.2.5 migration, local admin cannot fork
| Reported by: | Arnaud GUT |
| State: | invalid |
| Created on: | 2014-11-26 17:01 |
| Updated on: | 2014-11-27 13:53 |
Description
In RC, I created a user's group, put a user (named train03) in it and give Fork default permission to this user's group.
In RC, I give admin rights to this user's group on a top level repo group (CF_Domain) and created a repo in it (test_fork).
The user train03 can fork the repo.
I migrated to KLT 0.1 with no problems.
Then, the user train03 can no more fork the repo: 403 forbidden. Logs:
2014-11-26 17:43:29.781 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:257[train03] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork/fork 2014-11-26 17:43:29.892 INFO [kallithea.lib.auth] user <AuthUser('id:257[train03] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ForksController:fork 2014-11-26 17:43:30.545 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork/fork time: 0.825s 2014-11-26 17:43:30.578 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:257[train03] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork/fork 2014-11-26 17:43:30.581 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork/fork time: 0.036s
For information, if I add another user (named train02) in the same user's group, this user can fork ! Logs:
2014-11-26 17:47:54.608 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork/fork 2014-11-26 17:47:54.693 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ForksController:fork 2014-11-26 17:47:55.933 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork/fork time: 1.353s 2014-11-26 17:47:59.545 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork/fork 2014-11-26 17:47:59.790 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ForksController:fork_create 2014-11-26 17:48:00.551 INFO [kallithea.lib.utils] Logging action:started_following_repo on <RepoTemp('id:934')> by user:<User('id:17:train02')> ip:10.10.168.170 2014-11-26 17:48:00.571 INFO [kallithea.lib.utils] Logging action:user_forked_repo:CF_Domain/test_fork-fork on CF_Domain/test_fork by user:<User('id:17:train02')> ip:10.10.168.170 2014-11-26 17:48:00.632 INFO [kallithea.model.repo] creating repo test_fork-fork in /product/repo/CF_Domain/test_fork-fork from url: `/product/repo/CF_Domain/test_fork` 2014-11-26 17:48:00.722 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork/fork time: 1.204s 2014-11-26 17:48:00.760 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork-fork/repo_creating 2014-11-26 17:48:00.762 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ReposController:__before__ 2014-11-26 17:48:00.876 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ReposController:repo_creating 2014-11-26 17:48:01.623 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork-fork/repo_creating time: 0.889s 2014-11-26 17:48:02.163 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork-fork/crepo_check 2014-11-26 17:48:02.167 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ReposController:__before__ 2014-11-26 17:48:02.234 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func ReposController:repo_check 2014-11-26 17:48:02.251 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork-fork/crepo_check time: 0.126s 2014-11-26 17:48:02.298 INFO [kallithea.lib.base] IP: 10.10.168.170 User: <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> accessed /CF_Domain/test_fork-fork 2014-11-26 17:48:02.362 INFO [kallithea.lib.auth] user <AuthUser('id:17[train02] ip:10.10.168.170 auth:True')> authenticating with:RegularAuth IS authenticated on func SummaryController:index 2014-11-26 17:48:03.054 INFO [kallithea.RequestWrapper] IP: 10.10.168.170 Request to /CF_Domain/test_fork-fork time: 0.782s
I've the same behavior for all repos.
If I try to remove first user (train03) from the user's group then add it in again, train03 always can not fork.
This is extremely blocking for me as I've one hundred users in this case into dozens of user's groups and thousands of repos.
Attachments
Comments
Comment by Mads Kiilerich, on 2014-11-26 17:09
There is not much here that can help reproduce the problem.
Try comparing the Permissions page for these 2 users and verify they are exactly the same.
Comment by Arnaud GUT, on 2014-11-27 08:23
Comparison shows clearly that one user has "Repo forking disabled" and the other has "Repo forking enabled". Question: if a user is local admin of a top level repo group thru a user's group which has forking enabled, and normal user for another top level repo group, what must show the global permission of this user?
Comment by Mads Kiilerich, on 2014-11-27 13:52
I don't understand the question ... but do also not understand the complexity of the current access control system. I would like to replace it with something simpler.
Comment by Mads Kiilerich, on 2014-11-27 13:53
Use error / misconfiguration.