View Assigned Only permissions not working properly in 1.8

Post Reply
MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

View Assigned Only permissions not working properly in 1.8

Post by MCH »

Hi Sergey,

So I have finally had some time to test this properly on a blank installation and I am confident there is a bug in the way access lists are processed.

Summary: if you want to set Project Managers to "View Assigned Only" on more than one project, permissions break for at least 1 user. I have tested this behavior on 2 installations, 2 servers.
  • Brand new CentOS 7 virtual machine, SELinux disabled
    Apache 2.4.6
    PHP 7.0.15 + modules
    MySQL Community 5.7
Environment...
  1. Configured base CentOS virtual machine & disabled SELinux
    Add MySQL repository
    yum install httpd mysql-community-server php php-*<standard module list>
    Enable short_open tags in php.ini
    Test phpinfo file to make sure base install looks good
    Configure MySQL server, add "ruko" database and user with full permissions
    Unzip rukovoditel_1.8.zip to /var/www/html/
    Configure permissions...
    - chown root /var/www/html -Rf
    - chgrp apache /var/www/html -Rf
    - chmod 774 /var/www/html -Rf
    Browse to http://myserver/ - permissions check is OK
    Proceed with database installation, all OK
    Log in to Rukovoditel as admin user
    Unzip rukovoditel_ext_1.4.zip to /var/www/html/plugins/
    Install plugin from http://myserver/ > Rukovoditel > Extension > Install
That is my base installation installed and ready to go.

Steps to reproduce...
  1. As Admin...
    Create 2 Manager users: User 1 and User 2
    Create 2 Projects: Project 1 and Project 2
    Go to Application Structure > Entities List > Projects > Access > Access Configuration
    Change Manager to "View Assigned Only" - so that managers can only maintain there own projects, not all projects.
    Go to Projects and Edit Project 1 & Project 2
    Assign both User 1 & User 2 to both projects
    Open a new browser window incognito
    Log in as "User 1"
    Both projects are visible, if you attempt to view the project you receive error "Access Forbidden - Sorry, you don't have access to this page"
    Log out of User 1, log in as "User 2"
    Both projects are visible, both projects can be viewed
If you change who has access to certain projects, it can break in various circumstances...

Project 1 - User 1, User 2
Project 2 - nobody
Results P1: User 1 OK, User 2 OK
Results P2: N/A

Project 1 - User 1, User 2
Project 2 - User 1, User 2
Results P1: User 1 forbidden, User 2 OK
Results P2: User 1 forbidden, User 2 OK

Project 1 - User 2
Project 2 - User 1, User 2
Results P1: N/A, User 2 OK
Results P2: User 1 forbidden, User 2 OK

Project 1 - nobody
Project 2 - User 1, User 2
Results P1: N/A
Results P2: User 1 OK, User 2 OK
Attachments
phpinfo.txt
phpinfo and yum package list
(116.64 KiB) Downloaded 227 times

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

Create 2 new "Developer" users called Dev 1 & Dev 2
Assign User 1, User 2, Dev 1, Dev 2 to Project 1 & Project 2
Results P1: User 1 and Dev 1 are forbidden, User 2 and Dev 2 are OK
Results P2: User 1 and Dev 1 are forbidden, User 2 and Dev 2 are OK

So it appears to be the first user of each user group that breaks.

User avatar
support
Site Admin
Posts: 3418
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: View Assigned Only permissions not working properly in 1.8

Post by support »

Hi

I already tested it once you report about this issue. And I tested on Windows and Linux servers and I can't reproduce it. Also nobody else report about this issue and I think this can be issue with server configuration where data not saved properly and that is why you have this issue.

Is it possible to send me ftp to folder where you installed Ruko?
I need to debug code in your server since I can't reproduce it on my servers.
If it's possible send me ftp by email or private message.

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

Hi,

If you start with a base installation of 1.8 + extension 1.4 and follow my steps to reproduce, I am confident that it will fault.

Otherwise, I could give you remote access to my test server. It is not Internet facing so you would need to remote assist a workstation on my network first.

User avatar
support
Site Admin
Posts: 3418
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: View Assigned Only permissions not working properly in 1.8

Post by support »

If you start with a base installation of 1.8 + extension 1.4 and follow my steps to reproduce, I am confident that it will fault.
Already done, and works ok.
Otherwise, I could give you remote access to my test server. It is not Internet facing so you would need to remote assist a workstation on my network first.
Do you have shared hosting? because just have access to ftp is not enough, I have to test how it looks in browser.

Also can you try reproduce the same issue in public demo?
https://www.rukovoditel.net/demo.php
Maybe I'm doing something wrong.

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

I could not fault on your public demo. Is that made from the same 1.8 and ext 1.4 zip files that are currently on your download pages?

My server is private and not internet facing. I will do 1 more test on a LAMP spinup tomorrow, see if I can fault it there, if I can I will look at either putting my server on the internet or asking if you can dial in with TeamViewer.

User avatar
support
Site Admin
Posts: 3418
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: View Assigned Only permissions not working properly in 1.8

Post by support »

I could not fault on your public demo. Is that made from the same 1.8 and ext 1.4 zip files that are currently on your download pages?
Yes, 1.8 and ext 1.4 installed on demo
I will do 1 more test on a LAMP spinup tomorrow
yes, please.

I don't have TeamViewer, sorry.

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

Hi Sergey,

I have just completed my 3rd installation on a blank WAMP setup with Ruko 1.8 (MD5 2ef3ba734432ebff02ef6f422bc68f4e) and Ext 1.4 (MD5 5401134d79696cdadb02930e118c9857), exact same issue as reported above. This time on Windows with PHP 5.6.

Created blank database & db user
Ran through initial Ruko setup - created database tables and added admin user
Logged in as admin
Go to Extensions and installed with license key
Created 2 blank projects
Created 2 manager users (Username: user1, Firstname: 1, Lastname: User) and same again for user2
Assigned both manager users to team of both projects
Go to Application Structure > Entities List > Projects > Access > Access Configuration
Change Manager from View to View Assigned Only
Log out
Log in as user1 and attempt to view both projects, receive error "Access Forbidden"

I would really like to arrange a remote desktop session so that you can see that I am not crazy.

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

I have just noticed there is now v1.8.1, where are the changes notes for this release?

MCH
Posts: 8
Joined: 21 Feb 2017, 06:24
Name: MCH
Location: Australia
Company Name: MCH

Re: View Assigned Only permissions not working properly in 1.8

Post by MCH »

OK I have just completed a 4th test with Rukovoditel 1.8.1 and extension 1.4.1, same results.

I am going to contact you via email to arrange remote access so that we can get this sorted.

Post Reply