Write ACL on user/userRoles/groupsMembership not working when not having full user/user read right
FD displays a message "You have no permission to modify the field "groupsMembership" of object ... " when editing a user group membership, though the user do have an ACL assigned allowing him to do so.
Distribution Name and Version
PHP version used
Origin of php packages
Steps to Reproduce
- Create user A
- Create an ACL role to read groups and write their member attribute. Assign to user A on the whole tree.
- Create an ACL role to allow read/edition on some user fields (not all) & their groups/roles membership. This is the setting I currently have :
- Assign this ACL role to user A on a branch containing user B
- Log in as user A and edit one of the allowed fields on user B: it works.
- Still as user A, add a group to user B : when applying change, an error message appear : "You have no permission to modify the field "groupsMembership" of object "uid=userb,ou=users,..."
=> groupsMembership read/write doesn't seem to work properly when there are write restrictions on other user fields.
As a work around, if I manually add a new attribute "gosaAclTemplate" to the ACL role in OpenLDAP with value
1:user/user;#groupsMembership;rw, after the one set through web interface, then the user B groups can be edited successfully by user A. But this value cannot be set through FD web interface, and will be lost if someone edit this entry through FD, since #groupMembership are set in user/userRoles block, not user/user.
User A should be able to edit group membership when granted the right within user/userRoles settings.
User A cannot edit group membership of user B even though the write of the groupsMembership attribute has been granted on user/userRoles.
Reproduces how often: 100%. Tried many combinaisons for user/userRoles with same results.