[#3418] - The permission management system is horribly broken

Bug report
Project: Severity:
Component: Reproducibility:
Assigned to:

Let's say you have a hierarchy:

\folder A
\folder AA
\report AAA
\report AAB
\folder AB
\report ABA
\report ABB
\folder B
\folder BA
\report BAA
\report BAB
\folder BB
\report BBA
\report BBB

http://i.imgur.com/y2rtAk4.png - see the picture for the real hierarchy, because the bug reporting system also has a bug: it eats white space.

Let's you want to give permissions to one role, let's call it NICE_ROLE to execute any report from this hierarchy.

First, you try giving "execute" permission at the root level. It doesn't work. The users won't see any report, much less be able to execute them.

Then you try giving the role "read" permission on the root. That works. Then, what is the purpose of the "execute" permission? Probably to confuse people.

But never mind, at least "read" works, we just have a useless permission called "execute". The ugly part follows.

Now you need a new role, let's call it UGLY_ROLE. But you only need that role to be able to execute only one report: BBB.

So, you set the READ permission for UGLY_ROLE on report BBB. Of course, it doesn't work.

Not only do you not see it in the hierarchy, but the report also doesn't show in the "Library" list. I consider this a bug.

To workaround this bug, you have to also give UGLY_ROLE permissions on the parent folders: BB, B and root. But since permissions are inherited by subfolders, you only really need to give UGLY_ROLE permissions to the root folder.

But wait, wouldn't giving permissions on the root folder mean that now the UGLY_ROLE also has now access to reports AAA, AAB, ABA, ABB, BAA, BAB and BBA? Of course it does.

That's because there is no way to disable inheritance when you give permissions on a folder. I consider this another bug. You'll see why below.

To workaround this bug, you have to select each child folder/resource you don't want to apply the permission to, and select "No access" for UGLY_ROLE. In our case, you have to select "No access" for UGLY_ROLE on folder A, folder BA and on report BBA.

If that would be all there is to it, it might still be acceptable. However, let's consider what happens when you create new items in the folders having the permission for UGLY_ROLE (root, B, and BB). Those new items, folders and any subfolders will inherit the "read" permission for UGLY_ROLE.

So each time you create a new item under root, B or BB you now have to remember to change the permission for UGLY_ROLE from "read" to "no access". I consider this behavior unacceptable.

You should be able to disable inheritance at the level you assign the permission, without having to disable it on each child, including future children. Especially the future part is extremely annoying.

If you still think this acceptable, let's consider another hypothetical example: you have a folder with 100 reports, and you only want to give UGLY_ROLE permission to only one of them. You now have to give permission to the containing folder, then all 100 reports inherit it, then you have to manually select "No access" on each of the remaining 99 reports.

The only workaround for this case is to redesign the directory structure, moving that report to a folder with less items. Of course, having 100 reports in one folder would be poor design. I just gave it as an example to show the inflexibility of the permission system.

permission system
vladnc's picture
Joined: Feb 24 2014 - 1:20pm
Last seen: 9 years 3 weeks ago

1 Comment:

  • Assigned:nobody»

"execute-only permission in JasperReports Server allows running reports, dashboards, and
OLAP views to access a resource, but keeps the resource from appearing in the repository."
-- JasperReports Server Administrator Guide 5.5, Section 3.5.4, page 55.
Basically, "Execute Only" is Invisible Read Only permission, user can execute such resource but doesn't see it in repository, search and library pages. Too see and interact with a resource user needs at least Read Only permission.

Moving to the "ugly part":
Actually, user will see 'report BBB' in search and library pages if it has at least Read Only permission even if parent 'folder BB' is invisible in repository ('No Acess'/'Execute Only'). Works for me in v5.5. There is a bug, though: 'report BBB' runs with error if 'folder BB' has 'No Access' permission. In order to run this report user should have any permission for the 'folder B', at least 'Execute Only' for the 'folder BB' and at least 'Read Only' for 'report BBB' itself. QA will log a bug for this case, 'report BBB' should work even if there is no access to 'folder BB'.

The most simple solution for UGLY_ROLE is to use 'Execute Only' for root folder (B and BB will inherit it) and 'Read Only' for report BBB. Now user won't see anything in repository but he will see his report in search and library pages. Another way - 'No Acess' for root but then set 'Execute Only' for the folder BB to be able to run the report (because of the bug described above).

Regarding Optional Permission Inheritance - unfortunately, we don't have such feature in JasperServer and it won't be available any time soon, sorry :(