Bug 719926

Summary: WebUI not displaying admin options if the user is admin, but only via nested group
Product: [Retired] freeIPA Reporter: Oliver Falk <oliver>
Component: WebUIAssignee: Adam Young <ayoung>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0CC: ayoung, benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 720336 (view as bug list) Environment:
Last Closed: 2012-03-28 09:25:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 720336    
Attachments:
Description Flags
indirect member of a group
none
screenshot of admin user logged in none

Description Oliver Falk 2011-07-08 12:46:50 UTC 
Description of problem:
I have created an user in a testinstance:
[root@ipa01 ~]# id falko
uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(ttt.admin),1612200000(admins)

The user is in the group 'admin', because the group 'ttt.admin' is listed in the member groups of 'admin'. While this works fine with ldap/sssd, the WebUI seems to not check the nested groups.
If I directly add my testuser to the group 'admin' the WebUI correctly displays the Admin options.

Version-Release number of selected component (if applicable):
[root@ipa01 ~]# id falko
uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(p4t.admin),1612200000(admins)

How reproducible: Always.

Steps to Reproduce:
* Install freeipa-server
* Create a group 'xxx'
* Add 'xxx' group to 'admin' group
* Create user 'asdf'
* Add 'asdf' user to the 'xxx' group
* id 'asdf' will show both groups
* WebUI will only display the user webinterface
  
Actual results:
* WebUI seems not to check the nested groups.

Expected results:
* WebUI should also check the nested groups.

Additional info:
This is not a fatal problem, since there aren't so many IPA admins - of course; And we can add those users directly to the 'admin' group. However, it would be convenient.
Comment 1 Oliver Falk 2011-07-08 12:47:55 UTC 
Update:

Version-Release number of selected component (if applicable):
[root@ipa01 ~]# rpm -q freeipa-server
freeipa-server-2.0.1-2.fc15.i686

(Used the wrong buffer)
Comment 2 Jenny Severance 2011-07-08 15:03:06 UTC 
Question ... there are radio buttons for direct and indirect members now ... are you selecting indirect members to see user asdf as an indirect member of admin group?  This is working for me.
Comment 3 Jenny Severance 2011-07-08 15:03:37 UTC 
Created attachment 511940 [details]
indirect member of a group
Comment 4 Oliver Falk 2011-07-11 06:40:42 UTC 
Your different looks different to mine... 8-/

However, the user is - of course - an indirect member, since it is direct member in the group 'xxx', and 'xxx' group is member in the 'admin' group. As already said.

Again, it's not a problem that the user doesn't belong to the group when it comes to ldap queries or if you check the user using the WebUI. But if you log in with the user, you only see the user UI and not the admin UI...
Comment 5 Jenny Severance 2011-07-11 12:33:18 UTC 
Created attachment 512200 [details]
screenshot of admin user logged in

I see what you mean now ....
Comment 6 Adam Young 2011-07-13 17:47:20 UTC 
Fixed upstream in 

http://git.fedorahosted.org/git/?p=freeipa.git;a=commit;h=04753403445dd5b73baa1422206b5ca352281e4a
Comment 7 Oliver Falk 2011-07-14 09:44:18 UTC 
I cannot apply this patch with my current version (freeipa-server-2.0.1-2.fc15).