Bug 42526

Summary: Prevent to move or remove the own object via UDM
Product: UCS Reporter: Moritz Bunkus <m.bunkus>
Component: UDM (Generic)Assignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Johannes Keiser <keiser>
Severity: normal    
Priority: P5 CC: best, gohmann, klaeser, schwardt
Version: UCS 4.1Flags: best: Patch_Available+
Target Milestone: UCS 4.2-1-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=44883
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Error handling, External feedback, Usability
Max CVSS v3 score:
Attachments: patch

Description Moritz Bunkus 2016-09-28 14:20:05 CEST 
Today I wanted to move some of our user objects from their usual place in "cn=users,$base_dn" to a sub-container "cn=MitarbeiterInnen,cn=users,$base_dn". I logged in as user "mbunkus", navigated to the LDAP module, created the sub-container (including adding it to the default user container). Then I selected a couple of user objects in "cn=users" including the object "uid=mbunkus,cn=users,$base_dn" — the one I had used to log in to the UMC.

The move process started, but right in the middle of moving "uid=mbunkus" it aborted with something like "access to UMC denied". I then logged back in to UMC, again as "uid=mbunkus".

The result was a partial move of that user object "uid=mbunkus". It was indeed moved to the new sub-container, however, the group membership hadn't been updated completely.

In a couple of groups the old entry was still present as "uniqueMember: uid=mbunkus,cn=users,$base_dn". In other groups both the old entry and the new one were present:

------------------------------------------------------------
[0 root@trinculo ~] univention-ldapsearch cn=kace-admins dn uniqueMember|ldapsearch-wrapper
# extended LDIF
#
# LDAPv3
# base <dc=bs,dc=linet-services,dc=de> (default) with scope subtree
# filter: cn=kace-admins
# requesting: dn uniqueMember
#

# kace-admins, groups, bs.linet-services.de
dn: cn=kace-admins,cn=groups,dc=bs,dc=linet-services,dc=de
uniqueMember: uid=mbunkus,cn=users,dc=bs,dc=linet-services,dc=de
uniqueMember: uid=mbunkus,cn=mitarbeiterinnen,cn=users,dc=bs,dc=linet-services,dc=de
------------------------------------------------------------

Fixing it wasn't that hard, but tedious: edit each group, remove all occurrences of the affected user, re-add the user, save.
Comment 1 Florian Best univentionstaff 2016-09-28 14:27:59 CEST 
Created attachment 8043 [details]
patch

Maybe we should restrict moving "myself" in a first step.
I guess fixing this is a little bit complicated and this corner case must be kept in mind in further development.
Comment 2 Moritz Bunkus 2016-09-28 14:45:41 CEST 
From a user POV I'd be perfectly fine with not being able to move myself as this is done very infrequently. Preventing having to clean up the mess afterwards is what would be important to me.
Comment 3 Florian Best univentionstaff 2017-01-17 13:05:43 CET 
*** Bug 43350 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2017-06-28 17:18:36 CEST 
The patch has been applied. Additionally removing is now also prevented (Bug #43350). This currently doesn't work when logged in via SAML because the DN comparison is case sensitive. This will be fixed generically in another bug.

univention-directory-manager-modules (12.0.17-22):
r80592 | Bug #42526: prevent to move and remove the own object

univention-directory-manager-modules.yaml:
r80592 | Bug #42526: prevent to move and remove the own object
Comment 5 Johannes Keiser univentionstaff 2017-06-30 11:33:51 CEST 
Tested with UMC and command line:
OK Moving and removing own object is not allowed

YAML: OK
-> verified
Comment 6 Janek Walkenhorst univentionstaff 2017-07-05 13:06:32 CEST 
<http://errata.software-univention.de/ucs/4.2/79.html>