Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-13211

Investigate attachmentTypeCode and KIM Permissions.

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.1
    • Fix Version/s: 2.5.1
    • Component/s: Analysis
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Rice Team:
      Middleware
    • Sprint:
      Middleware 2.5.1 Sprint 2
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      5

      Description

      This is related to KULRICE-13090, where it was desired to create a set of KIM permissions which would allow the following scenario…

      A KIM principal receives a Travel Account Maintenance document in its “Action List”, and is able to see the Notes and Attachments section of that document, but is not be able to see the “Download Attachment” button.

      Currently, DocumentAuthorizerBase.canViewNoteAttachment() is called, once to authorize for the visibility of the Notes and Attachments section, and once to authorize for the visibility of the “Download Attachment” button. Authorization for the “Download Attachment” button can be based on “attachment type code”, as canViewNoteAttachment() takes that as an optional parameter.

      I attempted to get the needed KIM permissions in place, but was unsuccessful. I consulted with Kristina, who provided some additional investigation, and it was decided to write up a Jira case to further investigate the situation.

      The goals of this case are …

      • Determine the KIM permissions and roles for the above scenario.
      • If KIM modifications are required, implement those, if they are minor. Any major KIM changes should first be reviewed by a KIM expert.
      • Add an AFT to DemoTravelAccountMaintenanceViewPermissionAft.java to test the scenario.

        Attachments

          Activity

          Hide
          jkeller Jonathan Keller added a comment -

          I'll take this one. We use attachment type-based permissions extensively in the UCD KFS implementation.

          Show
          jkeller Jonathan Keller added a comment - I'll take this one. We use attachment type-based permissions extensively in the UCD KFS implementation.
          Hide
          jkeller Jonathan Keller added a comment -

          So - initial investigation shows that the issue is that the permissions are not overriding each other on this type.

          There is both a permission for all attachments and one for the OTH attachment type. (See screen shot) Theoretically, that should block out the other permission, but it is not. Both are being considered in that case, making it additive.

          This may be a preexisting issue, but is certainly not how we want it to behave.

          I'm going to look into how hard it would be to make permissions of this type with an attachment type override those without.

          Show
          jkeller Jonathan Keller added a comment - So - initial investigation shows that the issue is that the permissions are not overriding each other on this type. There is both a permission for all attachments and one for the OTH attachment type. (See screen shot) Theoretically, that should block out the other permission, but it is not. Both are being considered in that case, making it additive. This may be a preexisting issue , but is certainly not how we want it to behave. I'm going to look into how hard it would be to make permissions of this type with an attachment type override those without.
          Hide
          jkeller Jonathan Keller added a comment -

          Attaching Selenium IDE script used to test fix

          Show
          jkeller Jonathan Keller added a comment - Attaching Selenium IDE script used to test fix
          Hide
          jkeller Jonathan Keller added a comment -

          Fix verfied (with attached Selenium script) and checked in.

          Still need to create an AFT to validate.

          Show
          jkeller Jonathan Keller added a comment - Fix verfied (with attached Selenium script) and checked in. Still need to create an AFT to validate.
          Hide
          mztaylor Martin Taylor (Inactive) added a comment -

          Closing 2.5.1 Development

          Show
          mztaylor Martin Taylor (Inactive) added a comment - Closing 2.5.1 Development

            People

            • Assignee:
              jkeller Jonathan Keller
              Reporter:
              sedgar Steve Edgar (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: