ldap and permissions oddities

We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

ldap and permissions oddities

Post by chrwei » Thu May 30, 2019 6:10 pm

I have openkm 6.3.7 configured with ldap to active directory, everything seem to work normally from the web interface, but in both the .NET and php SDKs the getContent() from a non-admin user calls result in and HTTP 500 error "AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c". the first UUID is the file's and the 2nd is the folder it's in. the user is also the one that created the folder and the file via the .NET SDK. the security tab on the folder and file with list this user with full access.

if I add the user to ROLE_ADMIN in AD, the getContent() call works, removing it makes it not work again. I'm baffled what I should be doing different.

the logs only have this:

Code: Select all

==> /opt/openkm/tomcat-8.5.24/logs/catalina.out <==
2019-05-30 13:00:03,422 [http-nio-0.0.0.0-8080-exec-3] WARN  o.a.c.j.i.WebApplicationExceptionMapper - com.openkm.rest.GenericException: HTTP 500 Internal Server Error
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:163)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:201)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.openkm.core.AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c
	at com.openkm.module.db.stuff.SecurityHelper.checkExtended(SecurityHelper.java:148)
	at com.openkm.dao.NodeDocumentVersionDAO.getCurrentContentByParent(NodeDocumentVersionDAO.java:289)
	at com.openkm.module.db.base.BaseDocumentModule.getContent(BaseDocumentModule.java:283)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:494)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:457)
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:150)
	... 66 more


==> /opt/openkm/tomcat-8.5.24/logs/openkm.log <==
2019-05-30 13:00:03,422 [http-nio-0.0.0.0-8080-exec-3] [] WARN  o.a.c.j.i.WebApplicationExceptionMapper - com.openkm.rest.GenericException: HTTP 500 Internal Server Error
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:163)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:192)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:201)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.openkm.core.AccessDeniedException: 093f27c1-d7b7-492b-ba05-6548dc59097f : df2f9151-ad58-4399-9a33-ece0f1eb332c
	at com.openkm.module.db.stuff.SecurityHelper.checkExtended(SecurityHelper.java:148)
	at com.openkm.dao.NodeDocumentVersionDAO.getCurrentContentByParent(NodeDocumentVersionDAO.java:289)
	at com.openkm.module.db.base.BaseDocumentModule.getContent(BaseDocumentModule.java:283)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:494)
	at com.openkm.module.db.DbDocumentModule.getContent(DbDocumentModule.java:457)
	at com.openkm.rest.endpoint.DocumentService.getContent(DocumentService.java:150)
	... 66 more

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Thu May 30, 2019 7:02 pm

oddly, getContentByVersion works, there is only 1 version of the file.

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Fri May 31, 2019 6:54 pm

getContent and getContentByVersion should working in both scenarios for the same document. If you get permissions denied means something is wrong the question is where:
* ensure from openkm UI you can download the document ( is case from there goes right I will ask for more things )

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Fri May 31, 2019 7:06 pm

I can download from the UI, though at one point at I had changed "default.user.role" and the download option was disabled, but I could still download from the History tab, which actually seems like a bug. changing it back to ROLE_USER brought it back and works, but getContent() still fails. I guess i could nuke the install and try again since this is all still in testing, but I'd prefer to fix it.

with that one UI bug, it seems there is some difference in how permissions are evaluated along that path. unfortunately my java is fairly weak, so I'm not even sure where to start looking or playing.

and scripts or sql I can run to verify what's up?

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Fri Jun 07, 2019 6:25 pm

if you have changed ROLE_USER by other you should update all the entries in the table OKM_NODE_ROLE_PERMISSION

Code: Select all

update OKM_NODE_ROLE_PERMISSION set NRP_ROLE = 'newRoleName' where NRP_ROLE='ROLE_USER';

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Fri Jun 07, 2019 6:48 pm

everything in the table is already ROLE_USER or ROLE_ADMIN. I'm not actually trying to change it, just had a wrong ldap config item for a bit. ROLE_USER is what i want.

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Sun Jun 09, 2019 9:27 am

First must configure OpenKM configuration parameters for LDAP. When you succeed on it, from administration will be shown, users, roles and roles by users. At this point, you can start thinking in authentication but not before. I suggest reverting the changes to login from the database and work in the OpenKM configuration parameters.

Read with care what is explained here and try to follow
https://docs.openkm.com/kcenter/view/ok ... roles.html

Each time you go to users / roles view after you have applied a change is a good practice you refresh the OpenKM cache -> I think you have in the main administration menu or into tools > cache stats ( I do not remember exactly in community where is it )

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Mon Jun 10, 2019 1:23 pm

that is the guide I followed, and also what I used to verify my settings and how I found my one error that is now corrected.

I want to reiterate, the in the web interface everything works as expected, I can view any file as a ROLE_USER login as per the set permissions on the security tab. it is ONLY the SDK getContent() function that gives a permission denied and ONLY for ROLE_USER, no matter what permissions are set. getDocumentProperties() and getContentByVersion() does not give permission denied. there is very clearly some different code path in getContent().

cleared cache and the issue persists.

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Mon Jun 10, 2019 2:06 pm

fixed it.

I found the relevant source in src/main/java/com/openkm/dao/NodeDocumentVersionDAO.java.

the getContent() path has this additional code:

Code: Select all

			if (extendedSecurity) {
				if ((Config.SECURITY_EXTENDED_MASK & Permission.DOWNLOAD) == Permission.DOWNLOAD) {
					SecurityHelper.checkExtended(nDoc, Permission.DOWNLOAD);
				}
			}
which led me down some experimenting with permissions, ROLE_USER did not have download permission on /okm:root/ but did on everything else. adding it to root fixed the issue.

I didn't follow the regular web desktop paths in the code, but there is clearly a difference in how permissions are checked. the desktop does not require download permission on all parent folders including root, but API getContent() does.

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Thu Jun 13, 2019 5:57 pm

I suggest downloading OpenKM personal development environment what comes as Virtual Machine ( in our download section you have a link and a video ). And try to debug the OpenKM source code ( If you have not enabled extended mask has no sense the error you are explaining and also has no sense you can download from web UI and not from API ).

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Thu Jun 13, 2019 6:18 pm

I have

Code: Select all

security.extended.mask	Integer	9216
I didn't intentionally enable it, but it is clearly checking it, as it shows in the logs I posted

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Sat Jun 15, 2019 6:51 pm

This is the reason why is not downloading, it is evaluating extra security. If you are not interested in extra security, I suggest set to 0, refresh the user interface after the change and check again.

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Mon Jun 17, 2019 1:06 pm

I'm not sure weather I want it or not, I might actually.

my test shows that extended security with the API requires the specific permission to be on all parent folders of the item, including /root, and the web desktop does not require this. it's an odd difference.

jllort
Moderator
Moderator
Posts: 10707
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: ldap and permissions oddities

Post by jllort » Fri Jun 28, 2019 7:31 am

Explain an specific case with detail. Anyway does not have any kind of relation with ldap, I suggest open a new topic for it

chrwei
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Mon Apr 15, 2019 2:54 pm

Re: ldap and permissions oddities

Post by chrwei » Fri Jun 28, 2019 1:03 pm

remove a permission from /root but leave it on a folder. web desktop works, api doenst.

Post Reply