First Last Prev Next    This bug is not in your last search results.
Bug 54040 - A school-spanning teacher/admin can add users of only one school to workgroups of other schools
A school-spanning teacher/admin can add users of only one school to workgroup...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Classes / Teachers / Workgroup assignment
UCS@school 5.0
Other Windows NT
: P5 normal (vote)
: UCS@school 5.0 v2
Assigned To: Carlos García-Mauriño
Ole Schwiegert
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-09 12:26 CET by Michael Grandjean
Modified: 2022-07-15 08:31 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
No option to add users from other schools in workgroups (28.14 KB, image/png)
2022-06-01 15:46 CEST, Carlos García-Mauriño 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2021-11-09 12:26:08 CET 
root@ucs-001:~# univention-app info
UCS: 4.4-8 errata1087
Installed: admindiary-backend=1.0 admindiary-frontend=1.0 radius=5.0 self-service=4.0 self-service-backend=4.0 ucsschool=4.4 v9 ucsschool-id-connector=2.0.1 ucsschool-kelvin-rest-api=1.5.0 ucsschool-veyon-proxy=1.1
Upgradable: ucsschool-id-connector


Scenario:

- a "school teacher 1" is properly assigned to the schools "School A" and "School B"
- we have "student 2" only at "School A"
- we have "student 3" only at "School B"

=> "school teacher 1" is able to create a new workgroup at "School A" and add *both* "student 2" and "student 3" to this workgroup. The user object of "student 3" is inconsistent afterwards:

root@ucs-001:~# univention-ldapsearch -LLL uid=student3 memberOf
dn: uid=student3,cn=schueler,cn=users,ou=SchoolB,dc=example,dc=org
memberOf: cn=Domain Users SchoolB,cn=groups,ou=SchoolB,dc=example,dc=org
memberOf: cn=SchoolB-1c,cn=klassen,cn=schueler,cn=groups,ou=SchoolB,dc=example,dc=org
memberOf: cn=schueler-SchoolB,cn=groups,ou=SchoolB,dc=example,dc=org
memberOf: cn=SchoolA-AG Georg,cn=schueler,cn=groups,ou=SchoolA,dc=example,dc=org     ## <==== 

I think this should only be allowed if "student 3" would *also* be properly assigned to *both* "School A" and "School B".
Comment 2 Daniel Tröder univentionstaff 2021-11-09 14:34:23 CET 
I also think that is not the intended behavior. Work groups should only have members of the work groups school.

In the situation of the _creation_ of a work group this is difficult for the UI:
In the user-selection pop-up it has to only show users of the school that was chosen in the main window.
What should happen, when users have been selected and the school is changed in the main window? I guess they must all be removed. The UI doesn't know which ones are in multiple schools.

In the situation of the _modification_  of a work group this is simple: the filter in the pop-up must be fixed to the school of the work group.

I fear this "unintended" behavior is already used by customers to have (email) groups with members from different schools, that can be managed by non-domain admins. Before changing this, we'd have to make sure we don't destroy those solutions or offer an alternative.
Comment 4 Ole Schwiegert univentionstaff 2022-04-21 09:28:01 CEST 
I would fix this Bug for a new release (UCS@school 5.0v2) and just implement it as intended by us.
After including a clear statement about the behavior change in the changelog I would wait for complaints/feature requests regarding the unintended feature before implementing a solution for that edge case that we think solves the "problem"
Comment 5 Ole Schwiegert univentionstaff 2022-04-21 09:37:10 CEST 
After discussion with our professional service we will fix this Bug for UCS@school 5.0v2 only. The milestone on the bug was change accordingly.
Comment 6 Carlos García-Mauriño univentionstaff 2022-06-01 15:27:21 CEST 
MR merged (https://git.knut.univention.de/univention/ucsschool/-/merge_requests/96), package built (`ucs-school-umc-groups`: `10.0.5A~5.0.0.202206011523`) and advisory updated (https://git.knut.univention.de/univention/ucsschool/-/commit/3c5cc8ddbd343b34b7f895932d277a3224ab2715).
Comment 7 Carlos García-Mauriño univentionstaff 2022-06-01 15:46:26 CEST 
Created attachment 10957 [details]
No option to add users from other schools in workgroups
Comment 8 Carlos García-Mauriño univentionstaff 2022-06-01 15:48:06 CEST 
Tested on a fresh instance as follows:

```
echo 'deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-ucs-school-5.0/all/' >>/etc/apt/sources.list
echo 'deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-ucs-school-5.0/amd64/' >>/etc/apt/sources.list
apt update
apt install ucs-school-umc-groups=10.0.5A~5.0.0.202206011523
systemctl restart univention-management-console-server.service univention-management-console-web-server.service
```

Then from the web interface created a user in a school and tried to added it to a workgroup in DEMOSCHOOL, and couldn't as expected. See the attachment above.

```
root@ucs-8816:~# univention-app info
UCS: 5.0-1 errata305
Installed: cups=2.2.1 samba4=4.13 squid=3.5 ucsschool=5.0 v1 4.4/ucsschool-veyon-proxy=1.1
Upgradable:
```

LGTM.
Comment 9 Felix Botner univentionstaff 2022-06-13 09:29:26 CEST 
This breaks the test

  90_ucsschool.72_radius_machine_authentication.test_radius_machine_authentication

in 

  https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/view/School/job/Install%20Singleserver/.

The test creates workgroups and wants to put computer objects in those groups. That is apparently no longer possible with this change.

/var/log/univention/management-console-module-schoolgroups.log
08.06.22 17:26:09.120  MODULE      ( ERROR   ) : Not adding not existing user 'cn=rowew18aaw,cn=computers,ou=testou8761,dc=five,dc=new' to group: WrongObjectType('Could not find object of type None with DN "Wrong objectClass: \'cn=rowew18aaw,cn=computers,ou=testou8761,dc=five,dc=new\' is not a \'User\'.".').
Comment 10 Carlos García-Mauriño univentionstaff 2022-06-13 14:06:28 CEST 
Thank you Felix. Should be fixed in https://git.knut.univention.de/univention/ucsschool/-/merge_requests/115

Non user objects should not be filtered out in _filter_users. Before these changes the tests for 90_ucsschool.72_radius_machine_authentication.test_radius_machine_authentication were not passing since the function was removing computer objects.
Comment 11 Carlos García-Mauriño univentionstaff 2022-06-14 08:43:26 CEST 
MR merged (https://git.knut.univention.de/univention/ucsschool/-/merge_requests/116), package built (`ucs-school-umc-groups`: `10.0.6A~5.0.0.202206140836` and `ucs-test-ucsschool`: `7.3.50A~5.0.0.202206140837`) and advisory updated (https://git.knut.univention.de/univention/ucsschool/-/commit/9788801cbba3b201700687c529c544d6fd917dfd).
Comment 13 Tobias Wenzel univentionstaff 2022-06-16 14:15:32 CEST 
ok. setting bug to verify.

changelog, advisory + jenkins ok
Comment 14 Tobias Wenzel univentionstaff 2022-07-15 08:31:09 CEST 
UCS@school 5.0 v2 has been released.

https://docs.software-univention.de/changelog-ucsschool-5.0v2-de.html

If this error occurs again, please clone this bug.
First Last Prev Next    This bug is not in your last search results.