Hi,
Yes, Version 3.14 I believe…
Yes, Exactly right. In debug I see that he is granted by the 'workspace/developer' role, although not a member of that workspace
Dror
From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Gennady Azarenkov
Sent: Tuesday, March 08, 2016 1:30 PM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
I see, Dror
Just in case, we are talking about 3.x version right?
So, you mean UserB is not a WorkspaceA's workspace/developer or admin is able to access files of private WorkspaceA's files with Project API calls correct?
On Tue, Mar 8, 2016 at 12:34 PM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi Gennady,
No, I do not mean to assign them in an application scope.
Very Simply,
It seems that the "workspace\developer" role grants permission to user A to read/write in user B's
workspace.
I could not find any "ownership of workspace" check….
Is this by design?
How can I prevent write access to other user's workspace?
Regards,
Dror
From:
che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Gennady Azarenkov
Sent: Tuesday, March 08, 2016 11:03 AM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
If I understand you correct - You mean you assign those roles as for application scope?
I believe "workspace/admin", "workspace/developer" are not a global roles, they intended to be used in the context of particular workspace.
And so they are physically assigned for workspace member - i.e. "workspace member has a role of ..."
On Mon, Mar 7, 2016 at 4:59 PM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi,
I would appreciate an explanation on Che Workspace permissions:
I am creating che users with the following roles:
"workspace/admin", "workspace/developer"
Currently,
User A can read and even modify a file in user B's workspace, even if I created the file in a
'visibility=private' project.
When debugging (in
che_core_vfs_impl) , I see that read or write permission is granted based on ACLs, on the user's
"workspace/developer" role,
even though that user is not a member of that workspace…
Could it be that this check is missing?
Or am I doing something wrong here…
I am trying to restrict a user's write access to another workspace.
I appreciate your help
Regards,
Dror
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
|