Bug 35624 - search_base is wrongly initialized: Tests against OU-DN fail
search_base is wrongly initialized: Tests against OU-DN fail
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Classes / Teachers / Workgroup assignment
UCS@school 3.2 R2
Other Linux
: P5 normal (vote)
: UCS@school 3.2 R2 Errata
Assigned To: Dirk Wiesenthal
Florian Best
:
: 34859 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-15 17:50 CEST by Dirk Wiesenthal
Modified: 2014-08-27 17:01 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2014-08-15 17:50:10 CEST
There is a possibly serious bug in "@LDAP_Connection"-decorated functions that cannot be solved on a lower level: The decorator initializes a variable search_base with all available schools.

If the list of available schools is 1 (which is the case for users with ou= in their user DN (teachers, etc.)) everything is fine: They can only view, say, rooms for that school and test against that school.

But "Administrator" does not have a ou= in her user DN: The list of schools is complete. In this case, tests like seach_base.isTeacher() test against the OU of *the first* school in this list.

Now, if Administrator wants to assign teachers to a class of another school (not the first one), the code fails:

  memberDNs = [ usr for usr in grp[ 'users' ] if search_base.isTeacher(usr) ]

will always return an empty list for that group as no member's DN is "below" the first school's DN.

Fix is to create a new search_base every time a test like this is done.
  school_name = SchoolSearchBase.getOU(grp.dn)
  search_base = SchoolSearchBase([school_name])

This has to be done for ucs-school-umc-groups and potentially all other modules (has to be checked manually).

Scope of this bug is ucs-school-umc-groups. Feel free to clone this bug again and again.

Note that the ucsschool.lib does not suffer from this bug. But it has not yet received wide adoption.
Comment 1 Dirk Wiesenthal univentionstaff 2014-08-15 21:29:04 CEST
This bug may not be that serious in general because of the following code in @LDAP_Connection():

# THIS IS BUGGY
kwargs['search_base'] = _search_base
if len(args) > 1 and isinstance(args[1], Message):
  # Some strange "convention over configuration" sets the search_base correctly
  school = isinstance( args[1].options, dict ) and args[1].options.get('school') or None
  if school:
    kwargs[ 'search_base' ] = SchoolSearchBase( _search_base.availableSchools, school )


Nevertheless, this 'school' parameter may not always be set (as it was not in the ucs-school-umc-groups case), so we need to check this very error prone search_base.
Comment 2 Dirk Wiesenthal univentionstaff 2014-08-20 00:22:53 CEST
ucs-school-umc-groups 2.0.5-3
Comment 3 Dirk Wiesenthal univentionstaff 2014-08-20 00:24:26 CEST
*** Bug 34859 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2014-08-21 11:23:43 CEST
Code-Review: OK
Fix: OK

I did not find further occurrences of that bug.
Changelog: OK
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2014-08-27 17:01:45 CEST
UCS@school 3.2 R2 v2 has been released:
http://docs.univention.de/release-notes-ucsschool-3.2R2v2-de.html

If this error occurs again, please use "Clone This Bug".