TACTIC Open Source
Cannot see gear menu for users and other security issues/ - Printable Version

+- TACTIC Open Source (http://forum.southpawtech.com)
+-- Forum: TACTIC Open Source (http://forum.southpawtech.com/forumdisplay.php?fid=3)
+--- Forum: TACTIC Discussion (http://forum.southpawtech.com/forumdisplay.php?fid=4)
+--- Thread: Cannot see gear menu for users and other security issues/ (/showthread.php?tid=246)



Cannot see gear menu for users and other security issues/ - LazyLeopard - 09-21-2021

This problem seems so basic that I am afraid that I might be doing something wrong.

My expectation is that once a user is part of group with access level "Hi", then he should be able to see all the options in the gear menu. Effectively only the "admin" user can see the gear menu, no other user can see it even if they are part of the "admin" group. 

Actually, adding any other users to the admin group does not grant them any extra privilege.

How to reproduce:

1. Create a group in a (vfx) project with access level "Hi".
2. Add a custom user to the group
3. Open the links asset from the sidebar
4. Click the gear menu to find that it is empty

Screenshot

[attachment=162]

Version Info:

Tactic 4.8 (b1b927), python 3.9.6, windows 10 (19042), PostgreSQL 13.3, Google Chrome Version 93.0.4577.82
using pyasm.security.LdapADAuthenticate


RE: Cannot see gear menu for users and other security issues/ - remkonoteboom - 09-23-2021

I took a quick look at this and you are correct. For some reason, high access level does not show the gear menu items. In the code, it is clearly set:

xml.append('''<rule group="gear_menu" submenu="*" label="*" access="allow"/>''')

This access rule in the login_group table should allow all menus to be visible. I tried adding some menu items manually in the login_group xml access rules:

<rule group="gear_menu" submenu="File" label="Export All ..." project="vfx" access="allow"/>
<rule group="gear_menu" submenu="File" label="Export Selected ..." project="vfx" access="allow"/>
<rule group="gear_menu" submenu="File" label="Export Matched ..." project="vfx" access="allow"/>
<rule group="gear_menu" submenu="File" label="Export Displayed ..." project="vfx" access="allow"/>
<rule group="gear_menu" submenu="File" label="Import CSV" project="vfx" access="allow"/>

And this works fine. I will have to trace through to see why the entire menu is being blocked for the above "*" rules.


RE: Cannot see gear menu for users and other security issues/ - LazyLeopard - 09-24-2021

Can you also look into the problem that any custom users other than default "admin", do not get any priveleges, even if we add them to the "admin" group. This problem is also reproducible in the docker hub 4.7.0.b02 image, but it works fine in the 4.5.0v01.


RE: Cannot see gear menu for users and other security issues/ - remkonoteboom - 09-28-2021

I believe this will fix the issue for both the "high" access level and for users in the "admin" group.

https://github.com/Southpaw-TACTIC/TACTIC/pull/1691

Let me know if this works for you. Thanks for reporting.


RE: Cannot see gear menu for users and other security issues/ - LazyLeopard - 09-28-2021

It does work fine now, many thanks!


RE: Cannot see gear menu for users and other security issues/ - LazyLeopard - 11-01-2021

(09-28-2021, 09:37 AM)LazyLeopard Wrote: It does work fine now, many thanks!

Well, an update. The gear menu seemed to work for "high" access levels. However, The users of the admin group ...

[attachment=163]

... are still not elevated.

[attachment=164]


RE: Cannot see gear menu for users and other security issues/ - remkonoteboom - 11-04-2021

Are you saying that the gear menu doesn't appear for "admin" group or (from your images), that the admin group doesn't see all of the projects?


RE: Cannot see gear menu for users and other security issues/ - LazyLeopard - 11-05-2021

(11-04-2021, 05:17 PM)remkonoteboom Wrote: Are you saying that the gear menu doesn't appear for "admin" group or (from your images), that the admin group doesn't see all of the projects?


Admin group doesn't see all of the projects including the admin project! there is a screen shot in my earlier post.