WsRestFindGroupsRequest throws error for composite groups when actAsSubject does not have privs on a component of the composite

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor
    • None
    • Affects Version/s: 4.13.1
    • Component/s: WS
    • None

      An edu.internet2.middleware.grouper.exception.GroupNotFoundException error is thrown when performing a WsRestFindGroupsRequest operation against a composite group, with includeGroupDetail = true, and an actAsSubject set to a subject who has privileges to read the group, but no privileges on one or more of the factor groups.

      Steps to reproduce:

      • Create two groups to be factors in a third composite group
      • Create the composite group and configure the composite
      • Grant ADMIN (or READ & UPDATE) priviliges on the composite group to a subject
      • Do NOT grant same privileges to the subject on one or both of the composite factor groups
      • Perform a WsRestFindGroupsRequest with a body similar to (substituting actual groupName and subjectId):

      {
      		 
        "WsRestFindGroupsRequest": {
      		 
          "wsQueryFilter": {
      		 
            "groupName": "testStem:testCompositeGroup",
      		 
            "queryFilterType": "FIND_BY_GROUP_NAME_EXACT"
      		 
          },
      		 
          "actAsSubjectLookup": {
      		 
            "subjectId": "testSubject"
      		 
          },
      		 
          "includeGroupDetail": "T"
      		 
        }
      		 
      }

       

      Expected results: The operation should be successful. The response should contain a WsFindGroupResults.groupResults array containing the group. The group should have a detail property, with leftGroup and rightGroup properties. Since the actAsSubject has no privileges one one (or both) factors of the composite, the leftGroup/rightGroup properties should contain minimal information including the "you do not have privileges to view group ${UUID}" seen in other responses (e.g. when getting membership of a group that contains another group that the caller has no privs on).

      Actual results: The operation fails with an error:

      WsRestResultProblem {    url: 'https://grouper.its.sfu.ca/grouper-ws/servicesRest/v4_0_000/groups',    status: 500,    resultMetadata: {      resultCode: 'EXCEPTION',      resultMessage: 'clientVersion: 4.0.0, wsQueryFilter: WsQueryFilter[queryFilterType=FIND_BY_GROUP_NAME_EXACT,groupName=testStem:testCompositeGroup]\n' +        ', includeGroupDetail: true, actAsSubject: WsSubjectLookup[subjectId=testSubject], paramNames: \n' +        ', params: null\n' +        ', wsGroupLookups: null, java.lang.RuntimeException: edu.internet2.middleware.grouper.exception.GroupNotFoundException: Cant view group: f8e6f8eaf74f4ddaaed4b875f9f94df0\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.WsGroupDetail.<init>(WsGroupDetail.java:210)\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.WsGroup.<init>(WsGroup.java:211)\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.WsGroup.convertGroups(WsGroup.java:92)\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.WsFindGroupsResults.assignGroupResult(WsFindGroupsResults.java:116)\n' +        '\tat edu.internet2.middleware.grouper.ws.GrouperServiceLogic.findGroups(GrouperServiceLogic.java:850)\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.GrouperService.findGroups(GrouperService.java:397)\n' +        '\tat edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.findGroups(GrouperServiceRest.java:210)\n' +        '\tat edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGet$1.service(GrouperWsRestGet.java:100)\n' +        '\tat edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$1.service(GrouperRestHttpMethod.java:57)\n' +        '\tat edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:202)\n' +        '\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:623)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)\n' +        '\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)\n' +        '\tat edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:1042)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)\n' +        '\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)\n' +        '\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)\n' +        '\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)\n' +        '\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)\n' +        '\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)\n' +        '\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)\n' +        '\tat SomeOtherValve.invoke(SomeOtherValve.java:61)\n' +        '\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\n' +        '\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)\n' +        '\tat org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424)\n' +        '\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\n' +        '\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)\n' +        '\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786)\n' +        '\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\n' +        '\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\n' +        '\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n' +        '\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)\n' +        '\tat java.base/java.lang.Thread.run(Thread.java:840)\n' +        'Caused by: edu.internet2.middleware.grouper.exception.GroupNotFoundException: Cant view group: f8e6f8eaf74f4ddaaed4b875f9f94df0\n' +        '\tat edu.internet2.middleware.grouper.Composite._getGroup(Composite.java:309)\n' +        '\tat edu.internet2.middleware.grouper.Composite.getLeftGroup(Composite.java:181)\n' +        '\tat edu.internet2.middleware.grouper.ws.coresoap.WsGroupDetail.<init>(WsGroupDetail.java:206)\n' +        '\t... 35 more',      success: 'F'    },    responseMetadata: { millis: '160', serverVersion: '4.13.0' }  }}

       

       

            Assignee:
            Vivek Sachdeva
            Reporter:
            Graham Ballantyne (sfu.ca)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: