Write ACL on user/userRoles/groupsMembership not working when not having full user/user read right
Description
FD displays a message "You have no permission to modify the field "groupsMembership" of object ... " when editing a user group membership, though the user do have an ACL assigned allowing him to do so.
Distribution Name and Version
Debian jessie
FusionDirectory Version
1.3
PHP version used
PHP 5.6.40-0+deb8u2
Origin of php packages
debian
Steps to Reproduce
- Create user A
- Create an ACL role to read groups and write their member attribute. Assign to user A on the whole tree.
- Create an ACL role to allow read/edition on some user fields (not all) & their groups/roles membership. This is the setting I currently have :
0:user/userRoles;cmdrw#groupsMembership;rw#rolesMembership;rw,user/user;#cn;w#sn;rw#givenName;rw#description;rw#jpegPhoto;rw#l;rw#st;rw#postalAddress;rw#telephoneNumber;rw#mobile;rw#pager;rw#facsimileTelephoneNumber;rw#uid;r#preferredLanguage;rw#displayName;r#homePostalAddress;rw#homePhone;rw#title;rw#o;r#ou;rw#departmentNumber;rw#employeeNumber;rw#employeeType;rw#manager;rw#userLock;r
- Assign this ACL role to user A on a branch containing user B
- Log in as user A and edit one of the allowed fields on user B: it works.
- Still as user A, add a group to user B : when applying change, an error message appear : "You have no permission to modify the field "groupsMembership" of object "uid=userb,ou=users,..."
=> groupsMembership read/write doesn't seem to work properly when there are write restrictions on other user fields.
As a work around, if I manually add a new attribute "gosaAclTemplate" to the ACL role in OpenLDAP with value 1:user/user;#groupsMembership;rw
, after the one set through web interface, then the user B groups can be edited successfully by user A. But this value cannot be set through FD web interface, and will be lost if someone edit this entry through FD, since #groupMembership are set in user/userRoles block, not user/user.
Expected behavior:
User A should be able to edit group membership when granted the right within user/userRoles settings.
Actual behavior:
User A cannot edit group membership of user B even though the write of the groupsMembership attribute has been granted on user/userRoles.
Reproduces how often: 100%. Tried many combinaisons for user/userRoles with same results.