Bug 719926 - WebUI not displaying admin options if the user is admin, but only via nested group
Summary: WebUI not displaying admin options if the user is admin, but only via nested ...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: freeIPA
Classification: Retired
Component: WebUI
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Adam Young
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 720336
TreeView+ depends on / blocked
 
Reported: 2011-07-08 12:46 UTC by Oliver Falk
Modified: 2015-01-04 23:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 720336 (view as bug list)
Environment:
Last Closed: 2012-03-28 09:25:40 UTC
Embargoed:

Attachments (Terms of Use)
indirect member of a group (73.74 KB, image/png)
2011-07-08 15:03 UTC, Jenny Severance 		no flags Details
screenshot of admin user logged in (74.95 KB, image/png)
2011-07-11 12:33 UTC, Jenny Severance 		no flags Details
View All

Description Oliver Falk 2011-07-08 12:46:50 UTC 
Description of problem:
I have created an user in a testinstance:
[root@ipa01 ~]# id falko
uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(ttt.admin),1612200000(admins)

The user is in the group 'admin', because the group 'ttt.admin' is listed in the member groups of 'admin'. While this works fine with ldap/sssd, the WebUI seems to not check the nested groups.
If I directly add my testuser to the group 'admin' the WebUI correctly displays the Admin options.

Version-Release number of selected component (if applicable):
[root@ipa01 ~]# id falko
uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(p4t.admin),1612200000(admins)

How reproducible: Always.

Steps to Reproduce:
* Install freeipa-server
* Create a group 'xxx'
* Add 'xxx' group to 'admin' group
* Create user 'asdf'
* Add 'asdf' user to the 'xxx' group
* id 'asdf' will show both groups
* WebUI will only display the user webinterface
  
Actual results:
* WebUI seems not to check the nested groups.

Expected results:
* WebUI should also check the nested groups.

Additional info:
This is not a fatal problem, since there aren't so many IPA admins - of course; And we can add those users directly to the 'admin' group. However, it would be convenient.
Comment 1 Oliver Falk 2011-07-08 12:47:55 UTC 
Update:

Version-Release number of selected component (if applicable):
[root@ipa01 ~]# rpm -q freeipa-server
freeipa-server-2.0.1-2.fc15.i686

(Used the wrong buffer)
Comment 2 Jenny Severance 2011-07-08 15:03:06 UTC 
Question ... there are radio buttons for direct and indirect members now ... are you selecting indirect members to see user asdf as an indirect member of admin group?  This is working for me.
Comment 3 Jenny Severance 2011-07-08 15:03:37 UTC 
Created attachment 511940 [details]
indirect member of a group
Comment 4 Oliver Falk 2011-07-11 06:40:42 UTC 
Your different looks different to mine... 8-/

However, the user is - of course - an indirect member, since it is direct member in the group 'xxx', and 'xxx' group is member in the 'admin' group. As already said.

Again, it's not a problem that the user doesn't belong to the group when it comes to ldap queries or if you check the user using the WebUI. But if you log in with the user, you only see the user UI and not the admin UI...
Comment 5 Jenny Severance 2011-07-11 12:33:18 UTC 
Created attachment 512200 [details]
screenshot of admin user logged in

I see what you mean now ....
Comment 6 Adam Young 2011-07-13 17:47:20 UTC 
Fixed upstream in 

http://git.fedorahosted.org/git/?p=freeipa.git;a=commit;h=04753403445dd5b73baa1422206b5ca352281e4a
Comment 7 Oliver Falk 2011-07-14 09:44:18 UTC 
I cannot apply this patch with my current version (freeipa-server-2.0.1-2.fc15).
Note You need to log in before you can comment on or make changes to this bug.