Since I upgraded my plugin from dmx 5.1 to 5.2 I have trouble with previously working code. The code does the following. In the application there can be an application-wide administration user. For this user to have write privileges everywhere there is a specific function that sets this privilege. The actual implementation takes all possible workspaces that the app-admin needs and creates a membership. This function is itself privileged, of course, and is only supposed to work when logged in as (DMX) admin.
However in DMX 5.2 the membership creation fails because apparently the DMX admin has no write privilege to the workspaces. This may be true but how I am supposed to create this membership then?
The function I am using is AccessControlService.createMemberShip(userName, workspaceId)
UserName is my app-admin, workspace Id is one of the many possible workspaces that exist in the application.
The intended DMX 5.2 create-membership policy is as follows, and to my knowledge that is what is implemented as well:
Interactively in the Webclient: the current user (according to JSESSIONID cookie) must have WRITE permission to the very workspace
Programmatically by calling AccessControlService.createMemberShip(): no restrictions apply. Every user can create memberships. (Creating via HTTP API requires to be logged in though.)
See also #455 which, to my knowledge, fixed your original problem.
For testing, user “jri” created a public workspace “Birds” (ID 5052).
User “admin” can invite himselfes via HTTP API, even if – at that moment – he has no WRITE permission to “Birds”:
POST localhost:8080/access-control/user/admin/workspace/5052
Authorization: Basic YWRtaW46
A Membership between “admin” and “Birds” is created properly, and assigned to the “Birds” workspace. YWRtaW46 are admin’s credentials here.
It also works the other way round: user “jri” can join workspaces created by “admin”.
So at the moment I can’t reproduce the problem.
Maybe my knowledge and actual implementation differ.
Taking your example:
For testing, user “jri” created a public workspace “Birds” (ID 5052).
Can user “admin” make user “rsc” a member of “Birds” via AccessControlService.createMembership()?
The code looks like this (kotlin):
val userName = user.childTopics.getString(NS.user.name)
for (workspace in dmx.getTopicsByType(NS.dmx.workspaces.workspace)) {
if (isWorkspaceIAmInterestedIn(workspace)) {
acService.createMembership(userName, workspace.id)
}
}
user is the app-admin user that should get all the privileges. The code runs in a custom transaction and with a session cookie that belongs to “admin” (the DMX administrator).
Aug 19, 2021 4:41:33 PM systems.dmx.accesscontrol.AccessControlPlugin tryLogin
INFO: ##### Logging in as "admin" => SUCCESSFUL!
Aug 19, 2021 4:41:33 PM systems.dmx.core.util.UniversalExceptionMapper logException
SEVERE: Request "POST /access-control/user/jpn/workspace/5052" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: Creating membership for user "jpn" and workspace 5052 failed
at systems.dmx.accesscontrol.AccessControlPlugin.createMembership(AccessControlPlugin.java:367)
...
Caused by: java.lang.RuntimeException: Creating assoc of type "dmx.accesscontrol.membership" failed
at systems.dmx.core.impl.AccessLayer.createAssoc(AccessLayer.java:337)
at systems.dmx.core.impl.CoreServiceImpl.createAssoc(CoreServiceImpl.java:220)
at systems.dmx.core.impl.CoreServiceImpl.createAssoc(CoreServiceImpl.java:37)
at systems.dmx.accesscontrol.AccessControlPlugin.lambda$createMembership$2(AccessControlPlugin.java:361)
at systems.dmx.core.util.ContextTracker.run(ContextTracker.java:20)
at systems.dmx.core.impl.PrivilegedAccessImpl.runInWorkspaceContext(PrivilegedAccessImpl.java:353)
at systems.dmx.accesscontrol.AccessControlPlugin.createMembership(AccessControlPlugin.java:360)
... 51 more
Caused by: java.lang.RuntimeException: An error occurred in the PostCreateAssoc listener of plugin "DMX Workspaces"
at systems.dmx.core.impl.EventManager.dispatchEvent(EventManager.java:96)
at systems.dmx.core.impl.EventManager.fireEvent(EventManager.java:59)
at systems.dmx.core.impl.AccessLayer.createAssoc(AccessLayer.java:333)
... 57 more
Caused by: java.lang.RuntimeException: Assigning association 3821 (typeUri="dmx.accesscontrol.membership") to workspace 5052 failed
at systems.dmx.workspaces.WorkspacesPlugin._assignToWorkspace(WorkspacesPlugin.java:498)
at systems.dmx.workspaces.WorkspacesPlugin.postCreateAssoc(WorkspacesPlugin.java:430)
at systems.dmx.core.impl.CoreEvent$11.dispatch(CoreEvent.java:134)
at systems.dmx.core.impl.EventManager.dispatchEvent(EventManager.java:83)
... 59 more
Caused by: systems.dmx.core.service.accesscontrol.AccessControlException: user "admin" has no WRITE permission for object 5052
at systems.dmx.accesscontrol.AccessControlPlugin.checkAccess(AccessControlPlugin.java:971)
at systems.dmx.accesscontrol.AccessControlPlugin.checkWriteAccess(AccessControlPlugin.java:956)
at systems.dmx.accesscontrol.AccessControlPlugin.checkTopicWriteAccess(AccessControlPlugin.java:538)
at systems.dmx.core.impl.CoreEvent$3.dispatch(CoreEvent.java:58)
at systems.dmx.core.impl.EventManager.dispatchEvent(EventManager.java:83)
at systems.dmx.core.impl.EventManager.fireEvent(EventManager.java:59)
at systems.dmx.core.impl.AccessLayer.checkTopicWriteAccess(AccessLayer.java:809)
at systems.dmx.core.impl.TopicModelImpl.checkWriteAccess(TopicModelImpl.java:145)
at systems.dmx.core.impl.DMXObjectImpl.checkWriteAccess(DMXObjectImpl.java:242)
at systems.dmx.workspaces.WorkspacesPlugin.checkAssignmentArgs(WorkspacesPlugin.java:536)
at systems.dmx.workspaces.WorkspacesPlugin._assignToWorkspace(WorkspacesPlugin.java:495)
... 62 more
Aug 19, 2021 4:41:33 PM systems.dmx.core.impl.TransactionFactory$TransactionResourceFilter$2 filter
WARNING: ### Rollback transaction of systems.dmx.accesscontrol.AccessControlPlugin#createMembership()
Hi Jörg,
yes, the exception you saw is exactly what I was seeing on my end. Sorry I could not provide a stacktrace, I only saw it in the debugger’s stack frames.
Good that it could be fixed!
Big plus if the updated DMX could be retrieved through some public maven repo again.
