Bug 46336 – Make portal entries visible only for authenticated users of certain groups

Bug 46336 - Make portal entries visible only for authenticated users of certain groups


Summary:	Make portal entries visible only for authenticated users of certain groups

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Portal
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 4.3
Assigned To:	Dirk Wiesenthal
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:	46270 46702
Blocks:	46277
	Show dependency tree / graph

Reported:	2018-02-19 13:19 CET by Dirk Wiesenthal
Modified:	2018-03-20 09:12 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Wiesenthal

2018-02-19 13:19:40 CET

The portal should support adding a user group to its definition. If (and only if) a group is added to the entry, the entry is not visible for anonymous users. It is furthermore filtered for all users not in that particular group.

Comment 1 Dirk Wiesenthal

2018-02-19 13:28:56 CET

Fixed in
  univention-management-console 10.0.3-4A~4.3.0.201802191308
  univention-appcenter (7.0.1-9)
  univention-directory-manager-modules (13.0.19-12)
  univention-ldap (14.0.2-10)
  univention-portal (2.0.0-3)

The following LDAP attribute is now deprecated (without ever being useful):
  univentionPortalEntryAuthRestriction

The feature requires the memberOf overlay to be working.

This feature does not support groups in groups (it uses memberOf).

Comment 2 Dirk Wiesenthal

2018-02-19 13:29:49 CET

If have used Bug#46270 in the changelogs.

Comment 3 Arvid Requate

2018-02-19 14:45:15 CET

Wouldn't it be good to use os.initgroups(username, id)? That would fetch all group memberships via standard (nss) interfaces which also support caching.

Comment 4 Arvid Requate

2018-02-19 14:51:51 CET

Maybe os.getgrouplist would be better, but that seems to be only in Python 3, of the cuff I have no clue how getgrouplist relates to initgroups and nss.

Comment 5 Dirk Wiesenthal

2018-02-21 12:53:23 CET

Agreed, syscalls may be better. But only python3 supports the required method. We experienced performance issues with the methods in python2.7.

So for now, we should stick to LDAP and no "groups in groups". We should reconsider after we upgraded Python.

Comment 6 Stefan Gohmann

2018-02-23 16:52:11 CET

OK: It works with users in more than 100 groups and with group unlauts.

Fail: I'm unable to see the portal entries for my test user on the DC backup if the DC master slapd is stopped. That doesn't look right since I'm able to login in UMC on the backup even if the DC master slapd is stopped.

Comment 7 Stefan Gohmann

2018-02-23 20:46:43 CET

I'll try it again after fixing Bug #46376.

Comment 8 Stefan Gohmann

2018-02-24 16:29:07 CET

(In reply to Stefan Gohmann from comment #6)
> OK: It works with users in more than 100 groups and with group unlauts.
> 
> Fail: I'm unable to see the portal entries for my test user on the DC backup
> if the DC master slapd is stopped. That doesn't look right since I'm able to
> login in UMC on the backup even if the DC master slapd is stopped.

Fixed through Bug #46376. Everything else works fine.

(In reply to Dirk Wiesenthal from comment #1)
> The feature requires the memberOf overlay to be working.
> 
> This feature does not support groups in groups (it uses memberOf).

I've added a note to the manual bug: Bug #46391.

Comment 9 Stefan Gohmann

2018-03-14 14:38:07 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".