Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-7372

ACLs ineffective in geographic map



    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 14.0.3
    • Fix Version/s: Meridian-2015.1.0, 16.0.0
    • Security Level: Default (Default Security Scheme)
    • Labels:
    • Environment:
      Any instance with ACLs enabled and configured and lat/lon asset fields for nodes


      Steps to reproduce:

      1. Provision a subset of geo-enabled nodes into a surveillance category "Test" that is visible to a group "testing" that a non-admin user exclusively belongs to. Omit at least one geo-enabled node from this category.

      2. Log in as the non-admin user verify that only the subset of nodes in the "Test" category are visible in the node list

      3. Still logged in as the non-admin user, navigate to the geographical map.

      Expected result: Nodes displayed in geo-map are restricted as in the node list

      Actual result: All nodes with geo-data are displayed

      Beyond the geo-maps issue, it now appears (at least for a develop snapshot built on 16 Jan 2015) that ACLs are no longer being enforced at the DAO level. For instance, a non-admin user can now see a node that should be off-limits simply by changing the value of the "node" URL query parameter to element/node.jsp.




            • Assignee:
              desloge Donald Desloge
              jeffg Jeff Gehlbach
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: