Bug 51944 – Portal Entry allowedGroups depends on session name

Bug 51944 - Portal Entry allowedGroups depends on session name


Summary:	Portal Entry allowedGroups depends on session name

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Portal
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-09-04 12:27 CEST by Andreas Peichert
Modified:	2020-09-07 09:44 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Peichert

2020-09-04 12:27:23 CEST

The setting "allowedGroups" for a portal entry is evaluated by univention-portal-server backend. This is done by comparing the current loggedin username from the session name "UMCSessionId" with the groups.

But if the UMC runs on different port i.e. 1443 the session name is "UMCSessionId-1443" and the evaluated username is "None" for a loggedin user in that case. So the portal entries are not visible.

management/univention-portal/univention-portal-server should be aware of the fact that the session name may contain the port

management/univention-web/js/tools.js:
sessionID: cookie('UMCSessionId-' + document.location.port) || cookie('UMCSessionId')