Defect #13682

Permission "Commit access" affected by role ID instead of role position

Added by Tharuka Pathirana over 4 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:-
Resolution: Affected version:1.1.1

Description

When several roles affect a user in a project, the effective "commit access" permission depends on the assigned roles' IDs instead of their position under "Administration >> Roles and permission".

Here is an example. Suppose we have these roles set up in this order:

Role id SVN Read access SVN Commit access
Developer 4 Yes Yes
User 5 - -
Customer 6 Yes -

What happens if we assign a user a combination of roles, this is what happens:

Role(s) Can read Can commit As expected?
A. Customer Yes - Yes
B. User - - Yes
C. Developer Yes Yes Yes
D. Customer, User Yes - Yes(?)
E. Customer, Developer Yes - No
F. User, Developer - - No
G. Customer, User, Developer Yes - No

In combination D. I'm not sure whether the absence of the READ permission in the role "User" should override the READ permission of the role "Customer". I don't think so as I believe that the default is denied permission unless explicitly allowed by a role. But I don't know in what way the order of the roles are supposed to influence the permissions.

In E., F. and G. it becomes clear that not the order of the roles has influence, but their respective ID. In all three combinations the user should have READ als well as COMMIT permission. But that's not the case.

If, however, I change permissions to the following, keeping the order of the roles:

Role id SVN Read access SVN Commit access
Developer 4 Yes -
User 5 - -
Customer 6 Yes Yes

Then this is what happens:

Role(s) Can read Can commit As expected?
A. Customer Yes Yes Yes
B. User - - Yes
C. Developer Yes - Yes
D. Customer, User Yes Yes Yes(?)
E. Customer, Developer Yes Yes Yes(?)
F. User, Developer - - No
G. Customer, User, Developer Yes Yes Yes

In D. even though "User" is above "Customer" the user has READ and COMMIT access because the "Customer" role overrides the "User" role (or the "Developer" role in E.) because it has a higher ID (as opposed to combination F. in the first example above).

So essentially:
Is the order of the roles supposed to have influence on what resulting permissions a user has if they have several roles assigned?
If yes, then the "position" and not the "id" is supposed to be the affecting attribute.
If no, then neither "position" (order of the roles) nor their "id" should affect the resulting permission.

Also available in: Atom PDF