WebDAV strange user permissions changes
PostPosted:Fri Oct 02, 2015 12:21 pm
Hello,
first, I would like to thank author(s) for amazing work, OpenKM seems to be perfect document managing system.
But I probably found one bug - very strange behaviour when accessing root repository through webDAV.
OpenKM version 6.3.0 (build: 8156)
host OS: Linux 32 bit
client: windows machine with WebDrive or native windows Explorer
When I add new user with ROLE_USER,
he can work exactly how expected (with write granted but delete revoked, he can create new folders and upload some documents, but not to delete them)
BUT ... after some days of work, some logins/logouts, some folder creation and some folders permission changes (did not found exact combination to reproduce that again) the permissions became screwed.
Nothing seems to be changed in user configuration, the permissions are looking same as they were, in web interface there are also no changes, everything is still working as before.
But suddenly - this user got a delete privilege for WebDAV sessions.
Other user accounts are untouched, their WebDAV privileges are working fine (which means, they are prohibited of deleting )
Simply, there arrises an inconsistency between web-interface permissions and WebDAV permissions for the one particullar user.
I tried:
Set users role to Admin and back,
Deleted the user, created new with same ID with ROLE_USER,
Recursively set folder permissions (based on roles) to full acess and back for ROLE_USER (in web interface)
Recursively set folder permissions (based on roles) through the script.
created new role, applied this role to user account, set role permissions
....
but nothing helped, the user had still the delete permission
but he can not upload new documents anymore, strange errors occured (error: 0 B space left )
in OKM_NODE_ROLE, there were values: 15 for ROLE_ADMIN and 3 for ROLE_USER for all the affected uuids
(added this after some hours of investigation:)
Figured out, that when I restricted ROLE_ADMIN (wich is NOT the users role) permission for all nodes recursively from 15 to 11 (or 3) it seems to be "fixed" => this indicates, that the WebDAV server did not deal the role of particular user correctly and treated common user as it was an admin.
After setting the ROLE_ADMIN permissions back to 15, all seems to be OK now, all users do have same WebDAV - privileges as in web-interface and as they supposed to.
Please can You answer me these questions - it can help me to determine more details in case it will happen again:
Can I set the log verbosity level being used by the WebDAV?
How can I determine the real applied Roles for the WebDAV session?
What can caused difference between permissions used by web-interface and WebDAV?
Can an inconsistency in the OKM_NODE_ROLE and/or other related tables be automaticaly fixed by the system, when all the node permissions for all Roles were changed?
thank You!
first, I would like to thank author(s) for amazing work, OpenKM seems to be perfect document managing system.
But I probably found one bug - very strange behaviour when accessing root repository through webDAV.
OpenKM version 6.3.0 (build: 8156)
host OS: Linux 32 bit
client: windows machine with WebDrive or native windows Explorer
When I add new user with ROLE_USER,
he can work exactly how expected (with write granted but delete revoked, he can create new folders and upload some documents, but not to delete them)
BUT ... after some days of work, some logins/logouts, some folder creation and some folders permission changes (did not found exact combination to reproduce that again) the permissions became screwed.
Nothing seems to be changed in user configuration, the permissions are looking same as they were, in web interface there are also no changes, everything is still working as before.
But suddenly - this user got a delete privilege for WebDAV sessions.
Other user accounts are untouched, their WebDAV privileges are working fine (which means, they are prohibited of deleting )
Simply, there arrises an inconsistency between web-interface permissions and WebDAV permissions for the one particullar user.
I tried:
Set users role to Admin and back,
Deleted the user, created new with same ID with ROLE_USER,
Recursively set folder permissions (based on roles) to full acess and back for ROLE_USER (in web interface)
Recursively set folder permissions (based on roles) through the script.
created new role, applied this role to user account, set role permissions
....
but nothing helped, the user had still the delete permission
but he can not upload new documents anymore, strange errors occured (error: 0 B space left )
in OKM_NODE_ROLE, there were values: 15 for ROLE_ADMIN and 3 for ROLE_USER for all the affected uuids
(added this after some hours of investigation:)
Figured out, that when I restricted ROLE_ADMIN (wich is NOT the users role) permission for all nodes recursively from 15 to 11 (or 3) it seems to be "fixed" => this indicates, that the WebDAV server did not deal the role of particular user correctly and treated common user as it was an admin.
After setting the ROLE_ADMIN permissions back to 15, all seems to be OK now, all users do have same WebDAV - privileges as in web-interface and as they supposed to.
Please can You answer me these questions - it can help me to determine more details in case it will happen again:
Can I set the log verbosity level being used by the WebDAV?
How can I determine the real applied Roles for the WebDAV session?
What can caused difference between permissions used by web-interface and WebDAV?
Can an inconsistency in the OKM_NODE_ROLE and/or other related tables be automaticaly fixed by the system, when all the node permissions for all Roles were changed?
thank You!
