Bug 730199

Summary: User security permissions are cached and require logout/login to refresh when changes are made
Product: [Retired] Zanata Reporter: Akira TAGOH <tagoh>
Component: Component-UIAssignee: Carlos Munoz <camunoz>
Status: CLOSED CURRENTRELEASE QA Contact: Joyce Chang <jochang>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: camunoz, jwulf, petersen, sflaniga, zanata-bugs
Target Milestone: ---Keywords: Reopened
Target Release: 1.6-alpha-1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Zanata version 1.6-SNAPSHOT (20120321-1619) Doc Type: Bug Fix
Doc Text:
Cause: Authorization checks were made by querying the security entity representing the user. However, when a user is made an owner of the project, the user entity is not updated, the project entity is updated. The user entity is only updated when the user logs in. Consequence: When a user was given ownership of a project, they had to log out and log back in again before Zanata would authorize them as the owner of the project. Fix: The authorization check is now made by querying the project entity, rather than the user entity. Result: Users no longer have to log out and log back in again to update their authorizations when they are assigned ownership of a project.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-22 00:58:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akira TAGOH 2011-08-12 06:27:58 UTC 
Description of problem:
During keep signing in on Zanata, no action items appears in Actions section on the project after creating the project.

Version-Release number of selected component (if applicable):
1.3 on fedora.zanata.org

How reproducible:
always

Steps to Reproduce:
1.sign in Zanata
2.create the project
3.move into the project created in step 2.
  
Actual results:
I can see the created projects and my name in the maintainers, and even I can access to the projects through my profile. but no action items appears in Actions.

Expected results:
should appears the appropriate action items there.

Additional info:
It appears after re-signing into Zanata.
Comment 2 Ding-Yi Chen 2011-08-12 06:44:45 UTC 
As following document shown:

http://zanata.org/docs/html/chap_request_project.html

Re-login is essential.
Comment 3 Akira TAGOH 2011-08-12 06:48:18 UTC 
(In reply to comment #2)
> As following document shown:
> 
> http://zanata.org/docs/html/chap_request_project.html
> 
> Re-login is essential.

That's not a solution but a workaround for the wrong behavior. if re-sign in is
essential, zanata should at least prompt to let users do so such as by expiring
the session and shouldn't allow one playing it around until re-signing in.
Comment 4 Joshua Wulf 2011-08-12 06:57:02 UTC 
Is there a way in Seam to force the reloading of the logged-in users security permissions? 

If there is, then we could put in a button to effect that, or we could call it on any page where it will be needed, like a project page.
Comment 5 Sean Flanigan 2011-08-12 07:25:01 UTC 
I couldn't find it in a quick search, but yes, there must be some way of doing it.  Ideally we would invalidate the permissions cache whenever the roles are changed.  Failing that, we could at least give admins a button to clear the entire cache on demand.
Comment 6 Sean Flanigan 2011-09-07 04:33:28 UTC 
Assigning to Scrum product owner for prioritisation.
Comment 7 Carlos Munoz 2012-03-12 05:25:35 UTC 
This bug is corrected by changes in bug 727789.

The problem was that changes done to the project maintainers were not being reflected in the entities held by the security framework. I changed the way Zanata checks the maintainer status of a user against a project. Instead of checking on the person side, it now checks on the project side, which should have the latest information always, hence no need to log out anymore.
Comment 8 Joyce Chang 2012-03-22 04:47:39 UTC 
verified in Zanata version 1.6-SNAPSHOT (20120321-1619).
Comment 9 Joshua Wulf 2012-04-20 08:02:26 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Authorization checks were made by querying the security entity representing the user. However, when a user is made an owner of the project, the user entity is not updated, the project entity is updated. The user entity is only updated when the user logs in.

Consequence: When a user was given ownership of a project, they had to log out and log back in again before Zanata would authorize them as the owner of the project.

Fix: The authorization check is now made by querying the project entity, rather than the user entity.

Result: Users no longer have to log out and log back in again to update their authorizations when they are assigned ownership of a project.