← Back to team overview

dhis2-devs team mailing list archive

[Bug 1509824] [NEW] User Unable to Create Dataset if a "Role" is not read/write

 

Public bug reported:

Hello Devs,

Seeing this in Version 2.21, 2.20, 2.18 (untested in 2.19)

Getting an access is denied on the creation of a dataset if the user has
any roles assigned to them that they cannot edit themselves, and then
DHIS2 will go ahead and create the dataset anyway. Sometimes this can
create a situation where the user is unable to go back and create a role
for this dataset, as it won't appear in the list of potentials, and
requires a super user's intervention.

Steps to reproduce are:
1. Create a limited user who can at least create datasets and roles
2. Make sure one role assigned to the user is private, or 'can view' to public
3. Attempt to make dataset

I tested this quite a bit here is how I accomplished it on the demo server v2.21
1. Make a role that is 'almost all' roles
2. Make the role 'can view' to public
3. Assign to new user
4. Log in as new user and attempt to create dataset, it will say:

You don't have update access to object [IdentifiableObject: id='424205',
uid='UAuVBYXIEl1', code='null', name='AlmostAll', created='Sun Oct 25
16:01:54 CET 2015', lastUpdated='Sun Oct 25 16:08:03 CET 2015',
class='class org.hisp.dhis.user.UserAuthorityGroup"']

5. Notice that the dataset is in fact, created.
6. Observe that they cannot create a role with the new dataset, as _no_ datasets will show up.

Server log (version 2.20, but I'm sure it will be very similar to v2.21)
* INFO  2015-10-25 06:39:22,736 'almostsu' create org.hisp.dhis.dataset.DataSet, name: testing123, uid: WgEZ8p73ToE (AuditLogUtil.java [http-bio-8080-exec-53])
* INFO  2015-10-25 06:39:22,745 'almostsu' update denied org.hisp.dhis.user.UserAuthorityGroup, name: almost all, uid: IXdrP5ZBeVn (AuditLogUtil.java [http-bio-8080-exec-53])

Things I checked:
1. The user has access to everything from the category options all the way up to the ability to make roles and datasets
2. Making the role creation and dataset creation roles public and putting in a blank role that is private, this will still error it out

Suggested Fixes:
Skip the role creation step, suggesting the user go and do that or contact an administrator for assistance upon a successful creation of a dataset
OR Auto create a new role 1:1 with datasets regardless of the users ability to create and edit roles (the role could auto mimic the same sharing laid out for the dataset itself (updating as it updated), and removing itself entirely when the dataset is deleted)

Also, questions for discussion:
Do we need the dataset/program roles going forward? Is sharing not enough for granular access to the roles?

If the answer to those are YES, would the dataset and program roles work better if separate from the "Roles" entirely in the user creation page?, and auto created on a per dataset/program basis? Right now it auto adds to a seemingly random role in the user's role list upon dataset creation (if they have write access to every role).
We could also add to the pseudo 'right click menu' for the dataset/program: "Assign this dataset to Users _and_ Organisation Units"

** Affects: dhis2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1509824

Title:
  User Unable to Create Dataset if a "Role" is not read/write

Status in DHIS:
  New

Bug description:
  Hello Devs,

  Seeing this in Version 2.21, 2.20, 2.18 (untested in 2.19)

  Getting an access is denied on the creation of a dataset if the user
  has any roles assigned to them that they cannot edit themselves, and
  then DHIS2 will go ahead and create the dataset anyway. Sometimes this
  can create a situation where the user is unable to go back and create
  a role for this dataset, as it won't appear in the list of potentials,
  and requires a super user's intervention.

  Steps to reproduce are:
  1. Create a limited user who can at least create datasets and roles
  2. Make sure one role assigned to the user is private, or 'can view' to public
  3. Attempt to make dataset

  I tested this quite a bit here is how I accomplished it on the demo server v2.21
  1. Make a role that is 'almost all' roles
  2. Make the role 'can view' to public
  3. Assign to new user
  4. Log in as new user and attempt to create dataset, it will say:

  You don't have update access to object [IdentifiableObject:
  id='424205', uid='UAuVBYXIEl1', code='null', name='AlmostAll',
  created='Sun Oct 25 16:01:54 CET 2015', lastUpdated='Sun Oct 25
  16:08:03 CET 2015', class='class
  org.hisp.dhis.user.UserAuthorityGroup"']

  5. Notice that the dataset is in fact, created.
  6. Observe that they cannot create a role with the new dataset, as _no_ datasets will show up.

  Server log (version 2.20, but I'm sure it will be very similar to v2.21)
  * INFO  2015-10-25 06:39:22,736 'almostsu' create org.hisp.dhis.dataset.DataSet, name: testing123, uid: WgEZ8p73ToE (AuditLogUtil.java [http-bio-8080-exec-53])
  * INFO  2015-10-25 06:39:22,745 'almostsu' update denied org.hisp.dhis.user.UserAuthorityGroup, name: almost all, uid: IXdrP5ZBeVn (AuditLogUtil.java [http-bio-8080-exec-53])

  Things I checked:
  1. The user has access to everything from the category options all the way up to the ability to make roles and datasets
  2. Making the role creation and dataset creation roles public and putting in a blank role that is private, this will still error it out

  Suggested Fixes:
  Skip the role creation step, suggesting the user go and do that or contact an administrator for assistance upon a successful creation of a dataset
  OR Auto create a new role 1:1 with datasets regardless of the users ability to create and edit roles (the role could auto mimic the same sharing laid out for the dataset itself (updating as it updated), and removing itself entirely when the dataset is deleted)

  Also, questions for discussion:
  Do we need the dataset/program roles going forward? Is sharing not enough for granular access to the roles?

  If the answer to those are YES, would the dataset and program roles work better if separate from the "Roles" entirely in the user creation page?, and auto created on a per dataset/program basis? Right now it auto adds to a seemingly random role in the user's role list upon dataset creation (if they have write access to every role).
  We could also add to the pseudo 'right click menu' for the dataset/program: "Assign this dataset to Users _and_ Organisation Units"

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1509824/+subscriptions


Follow ups