Univention Bugzilla – Bug 52835
Possible to change primary group to one that a user is not a member of
Last modified: 2022-10-14 16:14:28 CEST
The issue can not be replicated in a pure vanilla UCS, but once we add more complex administration concepts it can come up in any customer environment. In the Newmail project we have Groups with limited administration rights. Meaning they can add users to some groups but not to others. They can also set the primary group. If we use the UMC - User Module and select as a primary group one that the user is not currently a member of, the user is added to this group automatically. If this fails because the limited admin has no right to add the user to this group, then we get an error message, but the primary group is still set. So to restate the issue: - We have a limited admin that is allowed to add users to Group A but not group B. - The limited admin has the right to change the primary group of a user. - The admin sets the primary group of a user to B - He gets an error message because UCS is trying to also add the user to group B. - The primary group of the user is still set to B, despite the error. The customer expects the operation to fail completely, resulting in no change to the user object. The customer also expects the primary group to always be that of one the user is a member of. I would propose to add a feature to all UMC modules. Whenever a change is made, first check if all changes can be performed, if they can then continue as normal. If they can't then produce an error message and do not perform any operation.