[KULRICE-4575] IM Person doc should only allow editing of direct group memberships Created: 20/Sep/10  Updated: 03/Nov/10  Resolved: 22/Sep/10

Status: Closed
Project: Kuali Rice Development
Component/s: Development
Affects Version/s: 1.0.3
Fix Version/s: 1.0.3

Type: Bug Fix Priority: Critical
Reporter: Dan Lemus (Inactive) Assignee: Jeremy Hanson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Fix
fixes KFSOLD-19812 IM Person doc should only allow editi... Closed
Rice Module:
KIM
Application Requirement:
KFS
KAI Review Status: Not Required
KTI Review Status: Not Required

 Description   

Currently, the UIDocumentServiceImpl#loadEntityToPersonDoc method pulls group memberships from GroupService#getGroupsForPrincipal. While wildly useful in other contexts (such as finding out which responsiblities a principal has through a group), in this context it's deadly: getGroupsForPrincipal returns all memberships in groups and all memberships implied by groups being members in other groups.

Basically, if principal kmoutlaw is a member of group A, and group A is a member of group B, then when you do an IM Person doc on kmoutlaw, the memberships for both group A and group B are shown as editable. Editors might miss this and simply save the doc, thereby making kmoutlaw a direct member of group A and group B. The second time we open an IM person doc on kmoutlaw, both the direct membership to group B and the indirect membership (through group A) to group B are editable...which leads to optimistic lock exceptions.

On the IM Person doc, only direct group memberships should be editable.

Note from James on how to fix this issue (listed on KFSMI-5987):
James Smith added a comment - 13/Sep/10 05:20 PM
To fix said issue, I changed this line in UIDocumentServiceImpl#loadEntityToPersonDoc:

List<? extends Group> groups = getGroupService().getGroupsForPrincipal(identityManagementPersonDocument.getPrincipalId());

to this:

List<? extends Group> groups = getGroupsByIds(getGroupService().getDirectGroupIdsForPrincipal(identityManagementPersonDocument.getPrincipalId()));

and added this method (all of this is in UA's override of that service):

/**

  • Looks up GroupInfo objects for each group id passed in
  • @param groupIds the List of group ids to look up GroupInfo records on
  • @return a List of GroupInfo records
    */
    protected List<? extends Group> getGroupsByIds(List<String> groupIds) {
    List<GroupInfo> groups = new ArrayList<GroupInfo>();
    for (String groupId : groupIds) { final GroupInfo groupInfo = getGroupService().getGroupInfo(groupId); groups.add(groupInfo); }

    return groups;
    }



 Comments   
Comment by Dan Lemus (Inactive) [ 20/Sep/10 ]

Not sure if this should be listed more as a contribution, or fix. But the appropriate fix has been added to the description field of this JIRA.

Comment by Jeremy Hanson [ 21/Sep/10 ]

Currently, non direct group memberships are not shown on the IM Person document. Not sure when this was implemented, but it does check to make sure the principalId is a direct member before adding it to the doc.

That said, the current way of doing this looks incredibly complicated for what it does.
It currently gets all groups for a principal id, which returns non-direct groups.
Then it grabs the direct members for the each of these groups and loops through them comparing them to the principalID
If the direct member of the group matches the principal id, the group is added to the document.

So I think I'm going to updated this code to James' solution as it should be more efficient.

Comment by Jeremy Hanson [ 22/Sep/10 ]

change committed

Generated at Thu Jan 21 20:41:31 CST 2021 using JIRA 7.0.11#70121-sha1:19d24976997c1d95f06f3e327e087be0b71f28d4.