You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Bruno Peeters (JIRA)" <ji...@apache.org> on 2009/02/16 14:13:00 UTC

[jira] Created: (JSPWIKI-507) Management of group members

Management of group members
---------------------------

                 Key: JSPWIKI-507
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-507
             Project: JSPWiki
          Issue Type: Bug
    Affects Versions: 2.8.1
            Reporter: Bruno Peeters


It is possible to define members for a group who are not defined in the wiki. There is no check whether the entered names are valid wiki names or full names.

It is possible to edit the membership of a group ("edit group"). If the last user of a group is removed - the box showing the group members is empty - and the save button is clicked, there is no warning that it is not possible to remove the last user of a group. Although the user may think that he removed the last user, the requested removal has not been carried out.

If a group is created by a valid user, and a non existing user is added, and finally the creator of the group removes himself of the list of group members, the group remains with only one member, not defined within the wiki. By default only members of the group can edit the membership list. There is currently no check that the last remaining user of a group is indeed a valid wiki user.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-507) Management of group members

Posted by "Harry Metske (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674010#action_12674010 ] 

Harry Metske commented on JSPWIKI-507:
--------------------------------------

Agreed, because JSPWiki can run both with default built-in security (UserDatabase.xml / GroupDataBase.xml) and with Container Managed Security (with many different implementations), there is no way we can find out if a user is a valid user.

> Management of group members
> ---------------------------
>
>                 Key: JSPWIKI-507
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-507
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>
> It is possible to define members for a group who are not defined in the wiki. There is no check whether the entered names are valid wiki names or full names.
> It is possible to edit the membership of a group ("edit group"). If the last user of a group is removed - the box showing the group members is empty - and the save button is clicked, there is no warning that it is not possible to remove the last user of a group. Although the user may think that he removed the last user, the requested removal has not been carried out.
> If a group is created by a valid user, and a non existing user is added, and finally the creator of the group removes himself of the list of group members, the group remains with only one member, not defined within the wiki. By default only members of the group can edit the membership list. There is currently no check that the last remaining user of a group is indeed a valid wiki user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (JSPWIKI-507) Management of group members

Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSPWIKI-507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Jaquith closed JSPWIKI-507.
----------------------------------

    Resolution: Won't Fix

JSPWiki is meant to be flexible in terms of how we create wiki groups, and whether they match users we know about (if we manage them natively) or users we don't know about (if the container manages them).

Sometimes that flexibility means a user can get themselves into trouble, as Bruno notes.  But there's no obvious fix for this, and I don't believe it is serious enough a problem to devote engineering time fixing. Specific proposals (and patches) for this are welcome, of course.


> Management of group members
> ---------------------------
>
>                 Key: JSPWIKI-507
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-507
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>
> It is possible to define members for a group who are not defined in the wiki. There is no check whether the entered names are valid wiki names or full names.
> It is possible to edit the membership of a group ("edit group"). If the last user of a group is removed - the box showing the group members is empty - and the save button is clicked, there is no warning that it is not possible to remove the last user of a group. Although the user may think that he removed the last user, the requested removal has not been carried out.
> If a group is created by a valid user, and a non existing user is added, and finally the creator of the group removes himself of the list of group members, the group remains with only one member, not defined within the wiki. By default only members of the group can edit the membership list. There is currently no check that the last remaining user of a group is indeed a valid wiki user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-507) Management of group members

Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674061#action_12674061 ] 

Andrew Jaquith commented on JSPWIKI-507:
----------------------------------------

Good points. Marking this as WONTFIX.

> Management of group members
> ---------------------------
>
>                 Key: JSPWIKI-507
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-507
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>
> It is possible to define members for a group who are not defined in the wiki. There is no check whether the entered names are valid wiki names or full names.
> It is possible to edit the membership of a group ("edit group"). If the last user of a group is removed - the box showing the group members is empty - and the save button is clicked, there is no warning that it is not possible to remove the last user of a group. Although the user may think that he removed the last user, the requested removal has not been carried out.
> If a group is created by a valid user, and a non existing user is added, and finally the creator of the group removes himself of the list of group members, the group remains with only one member, not defined within the wiki. By default only members of the group can edit the membership list. There is currently no check that the last remaining user of a group is indeed a valid wiki user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-507) Management of group members

Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673880#action_12673880 ] 

Janne Jalkanen commented on JSPWIKI-507:
----------------------------------------

I'm not sure whether this is really a problem - you can always even delete all the user accounts and end up with invalid groups.  

What is the problem if there are groups which contain only invalid/zero members?  They're not taking resources... The admin can always delete them - perhaps it would be useful to have a tool which detected them...

(I fear that trying to second-guess all possible combinations for users and groups is simply too difficult - especially if user management is externalized to LDAP or something similar.  There's no way to know when an user is removed, for example.)


> Management of group members
> ---------------------------
>
>                 Key: JSPWIKI-507
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-507
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>
> It is possible to define members for a group who are not defined in the wiki. There is no check whether the entered names are valid wiki names or full names.
> It is possible to edit the membership of a group ("edit group"). If the last user of a group is removed - the box showing the group members is empty - and the save button is clicked, there is no warning that it is not possible to remove the last user of a group. Although the user may think that he removed the last user, the requested removal has not been carried out.
> If a group is created by a valid user, and a non existing user is added, and finally the creator of the group removes himself of the list of group members, the group remains with only one member, not defined within the wiki. By default only members of the group can edit the membership list. There is currently no check that the last remaining user of a group is indeed a valid wiki user.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.