{ "id": "126931", "key": "AC-974", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "12217", "key": "AC", "name": "Appcelerator - INBOX", "projectCategory": { "id": "10000", "description": "", "name": "Customer Service" } }, "resolution": { "id": "5", "description": "All attempts at reproducing this issue failed, or not enough information was available to reproduce the issue. Reading the code produces no clues as to why this behavior would occur. If more information appears later, please reopen the issue.", "name": "Cannot Reproduce" }, "resolutiondate": "2014-03-17T00:54:07.000+0000", "created": "2014-02-27T20:28:28.000+0000", "labels": [ "doc-request" ], "versions": [], "issuelinks": [], "assignee": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "updated": "2016-03-08T07:37:18.000+0000", "status": { "description": "A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.", "name": "Resolved", "id": "5", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "14545", "name": "Documentation" } ], "description": "Usually one user cannot edit/delete another user's stuff (without ACLs).\r\n\r\nNow consider next situation:\r\n\r\nI create User1 with Console.\r\nI create User2 within User1 session.\r\n\r\nI create CustomObject with User1 session: Obj1\r\nI create CustomObject with User2 session: Obj2\r\n\r\nWith this situation:\r\nWith both users I can read both objects.\r\nWith User1 I can edit/delete Obj1 & Obj2.\r\nWith User2 I can edit/delete Obj2 but cannot edit/delete Obj1.\r\n\r\nIn some way, not explained in docs, User2 belongs to User1 (but there is no proof of it seeing User2 info in the console), so User1 inherits the owner and can do whatever thing he want with User2's objects.\r\n\r\nIt would be good to reflect this in the docs, because it's a special situation that can cause some surprises (although it has logic).", "attachment": [], "flagged": false, "summary": "When user1 creates a new user2, can modify/delete all user2's stuff", "creator": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "subtasks": [], "reporter": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "environment": null, "comment": { "comments": [ { "id": "295049", "author": { "name": "ragrawal", "key": "ragrawal", "displayName": "Ritu Agrawal", "active": true, "timeZone": "America/Los_Angeles" }, "body": "From the documentation:\nFor regular users (non-admin users), after successully executing this command, you will be logged in as the new user and the session ID will be associated with the newly created user. For example, when user A creates user B, user A is now logged in as user B and user A's session ID belongs to user B.\n\nFor admin users, you will still be logged in as the admin user.\n\nDid you make sure that you logged in as User 1 in your case explicitly before looking at User 2 objects? Is User 1 an admin?", "updateAuthor": { "name": "ragrawal", "key": "ragrawal", "displayName": "Ritu Agrawal", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-02-28T06:42:56.000+0000", "updated": "2014-02-28T06:42:56.000+0000" }, { "id": "295055", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "Hi Ritu.\r\n\r\nYes, I'm completely sure because User2 was created some days ago. Also, to create the initial objects, I logged in again with the right user. Then yesterday I logged in as User2 to make the test and I was not able to delete User1 objects. Then I logged out and logged in as User1 to try to delete User2's objects... and I was able.\r\n\r\nI also checked the \"user_id\" field on the objects to verify that the object I was trying to delete belonged to the user I expected.\r\n\r\nBoth users are not admin users, in fact none of them can use special objects, like PushNotification.notify with to_ids parameter to everyone (which is only allowed to admins)", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-02-28T07:59:35.000+0000", "updated": "2014-02-28T08:01:09.000+0000" }, { "id": "295200", "author": { "name": "ragrawal", "key": "ragrawal", "displayName": "Ritu Agrawal", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I need a couple of clarifications:\n\n1. Are you creating users and objects using ACS Web console (cloud.appcelerator.com) or using curl commands?\n2. You mentioned that you created User2 using User1 session1. How did you login with User1 credentials? ACS console or Curl commands?", "updateAuthor": { "name": "ragrawal", "key": "ragrawal", "displayName": "Ritu Agrawal", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-03-03T02:01:48.000+0000", "updated": "2014-03-03T02:01:48.000+0000" }, { "id": "295231", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "1. Using Node.ACS code (I suppose it's equivalent to curl), I don't use the console for nothing more than create the first user (User1), because I need one user to log-in the first time in my system. After that, I log-in with that user and with my CRUD, I can create the other users.\n2. I log-in through my own system, using Node.ACS code.\n\nI put here the code I'm using for log-in and create a user (I'm logged in this case as User1):\n\n{code}\n ACS.Users.login({\n // Get fields from form\n login: req.body.username,\n password: req.body.password\n }, function(data) {\n if (data.success) {\n // Set session data to be used later througout the app\n req.session.session_id = data.meta.session_id;\n req.session.user_id = data.users[0].id;\n req.session.fullname = data.users[0].first_name + ' ' + (data.users[0].last_name || '');\n req.session.userdata = data.users[0];\n \n res.redirect('/home');\n } else {\n res.redirect('/error');\n }\n });\n{code}\n\n{code}\n var params = {\n id: id,\n username: username,\n password: password,\n password_confirmation: password2,\n first_name: first_name,\n last_name: last_name,\n email: email\n };\n\n ACS.Users.create(\n params\n , function(data) {\n if (data.success) {\n console.log('User \"' + username + '\" created');\n res.redirect('/admin/users');\n } else {\n console.log('Error: ' + ((data.error && data.message) || JSON.stringify(data)));\n }\n });\n\n{code}\n\nAfter execute this code, I didn't see that the current user changed, as you noticed me. If you see my login function, I store the session_id which I use later to save any kind of objects (that's why the current logged user is the owner of it's objects):\n\n{code}\n ACS.Objects.create({\n classname: 'Languages',\n session_id: req.session.session_id,\n fields: {\n name: name,\n key: key\n }\n{code}", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-03-03T05:45:48.000+0000", "updated": "2014-03-03T05:45:48.000+0000" }, { "id": "296531", "author": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "body": "Hi, \r\n\r\nAccording your code, maybe there are 2 missing I can see.\r\n1. In ACS.Ojects.create method, there is no valid parameter called session_id. There is a valid parameter called user_id which can create object to other user if current user is app admin. So base on your code, the object 'languages' actually create to current user, not association with the session_id you saved. \r\nRef: http://docs.appcelerator.com/cloud/latest/#!/api/CustomObjects-method-create\r\n\r\n2. You said execute the create user code, didn't see current user changed. But after you create user B, if user A is not admin, user B is supposed to take user A's sesson_id and become the current user. Like user A is logout. \r\nRef: http://docs.appcelerator.com/cloud/latest/#!/api/Users-method-create", "updateAuthor": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "created": "2014-03-11T07:04:19.000+0000", "updated": "2014-03-12T05:54:17.000+0000" }, { "id": "296740", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "Hi Shuo.\n\nAbout point 1: you are right, session_id is only to validate I'm logged as a valid user, has no effect on the creation.\nAbout 2: I'm not sure that session changes automatically to User2 because with User1 I created User2, User3, User4 in a row... but I will do a test, because that will mean that User2 could delete User3, User3 also User4, and so on... in a chain, if this \"inheritance\" exists. Nevertheless, User1 is still being able to delete all the other user's objects, as if he were the owner of all.\n\nSummarizing: No admins. I create User2 from User1, I later logout and login again as User2, create objects for User2, but I'm able to delete User2's objects with User1 credentials. This situation is no explained in docs.", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-03-12T07:59:27.000+0000", "updated": "2014-03-12T07:59:27.000+0000" }, { "id": "296754", "author": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "body": "Hi,\n\nI reproduced your issues by Curl command line like:\n -- 1. Login *User A*\n -- 2. Create *User B* while *User A* is logged.\n -- 3. Show current user to make sure current user is *User B*\n -- 4. Create *Object B* while *User B* ls logging.\n -- 5. Logout *User B* and Login *User A*.\n -- 6. Delete *Object B* when current user is *User A*\n -- 7. Return error \"You don't have permission to delete object ...\" \nSo Based on my test, I did see the problem you mentioned.\n\nWould you please double check the you code, make sure this is no admin users, no ACLs. Then login to ACS web console, check the all the objects' owners to meet your expectations. For example check Object B's owner is only User B, no anyone else. Then reproduce same test again.", "updateAuthor": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "created": "2014-03-12T09:34:14.000+0000", "updated": "2014-03-12T09:34:14.000+0000" }, { "id": "296764", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "Ok, I done again my tests, even more exhaustive and the results were the same (by the way, REST doesn't works always as ACS.Node code).\n\n1. Login *User A*\n2. Create *Object A*\n3. Create *User B* while *User A* is logged\n4. Create *User C* while (I suppose) *User A* is logged (I mean, I didn't logout, but in theory docs says now I'm User B. I'm still believing is User A)\n5. Logout and Login as *User B*\n6. Create an *Object B1* and *Object B2*\n7. Logout and Login as *User C*\n8. Create an *Object C1* and *Object C2*\n9. List all objects\n10. Logout and Login as *User B*\n11. Try to delete *Object C1* (with *User B*): error, no permissions\n11. Try to delete *Object B1* (with *User B*): ok, it works\n12. Try to delete *Object A* (with *User B*): error, no permissions\n13. Logout and Login as *User C*\n14. Try to delete *Object C1* (with *User C*): ok, it works\n15. Try to delete *Object B2* (with *User C*): error, no permissions\n16. Try to delete *Object A* (with *User C*): error, no permissions\n17. Logout and Login as *User A*\n18. Try to delete *Object C2* (with *User A*): ok, it works\n19. Try to delete *Object B2* (with *User A*): ok, it works\n20. Try to delete *Object A* (with *User A*): ok, it works\n\nOnly ONE thing differentiates User A from B or C: in the field ROLE it has the value \"admin\", but it is supposed that this field is like any other one, a descriptive field. The other two users has \"publisher\" as ROLE value.\n\nAnd here comes my surprise!: if I change ROLE from \"admin\" to \"publisher\"... then *User A* cannot delete other user's objects. WTF!!??", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-03-12T13:05:38.000+0000", "updated": "2014-03-12T13:05:38.000+0000" }, { "id": "296774", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "I *CAN CONFIRM* that, if I set the ROLE field to \"admin\" in my users, they can delete other user's objects.\n\nI set it for *User C* and I was able to delete UserA's objects.\n\nIf this is a BUG, I love this bug because it's exactly what I was looking for (set and admin role by code, no from Web Console) when I set the role field.", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-03-12T14:25:45.000+0000", "updated": "2014-03-12T14:25:45.000+0000" }, { "id": "297457", "author": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "body": "Using both SDK and REST API to test, None of Them can reproduce the situation like Description in this ticket. Checked the Role parameter from source code. It is a simple descriptive property, do not effect the Admin user.", "updateAuthor": { "name": "sliang", "key": "sliang", "displayName": "Shuo Liang", "active": true, "timeZone": "Asia/Harbin" }, "created": "2014-03-17T00:54:07.000+0000", "updated": "2014-03-17T00:55:12.000+0000" }, { "id": "297507", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "You can't reproduce it? Oh, I have currently two projects running and on both it happens. Well, doesn't matters, for me is perfect this way, just what I need.", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2014-03-17T08:15:07.000+0000", "updated": "2014-03-17T08:15:07.000+0000" } ], "maxResults": 11, "total": 11, "startAt": 0 } } }