Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any user can change an attribute of an object by creating a task #13735

Closed
AlekseevVadim opened this issue Oct 26, 2023 · 3 comments · Fixed by #14203
Closed

Any user can change an attribute of an object by creating a task #13735

AlekseevVadim opened this issue Oct 26, 2023 · 3 comments · Fixed by #14203
Assignees
@chirag-madlani
Labels
backend UI UI specific issues

Comments

@AlekseevVadim
Copy link
Contributor

Affected module
UI and backend

Describe the bug
A user without the rights to edit an object can create a request to edit an attribute and, putting himself in the place of the assignee, make a change.

To Reproduce
22_screen_cast

Expected behavior
Object attributes can be changed as a result of task approval ONLY if the user who approved the change has the rights to edit the attribute.

Version:

  • OpenMetadata version: 1.1.7

Additional context
Prohibiting the change of the assignee when creating a task would be the wrong decision. Because if I set up the policies in such a way that the owner cannot change the description, he will be able to do this through task approval!!
@harshach harshach moved this to Backend - Bugs & Minor Features in Release 1.3.0 Oct 30, 2023
@harshach harshach added UI UI specific issues backend labels Nov 9, 2023
@harshach harshach moved this from Backend - Bugs & Minor Features to UI - Bugs & Minor Features in Release 1.3.0 Nov 9, 2023
@harshach harshach removed this from Release 1.3.0 Dec 1, 2023
@harshach
Copy link
Collaborator

harshach commented Dec 1, 2023

@chirag-madlani let's close this for 1.2.3.
If there is an owner assigned to a table, we should make them the assignee for the task and do not allow the user who is creating the task to add another assignee or change the assignee.

chirag-madlani added a commit that referenced this issue Dec 1, 2023
@chirag-madlani
fix: #13735 task assignee should be entity owner if present
43ad1e8
@chirag-madlani chirag-madlani mentioned this issue Dec 1, 2023
Merged
9 tasks
chirag-madlani added a commit that referenced this issue Dec 3, 2023
@chirag-madlani
Merge branch 'main' into fix-#13735
cc687d8
@harshach harshach moved this to UI - Bugs & Minor Features in Release 1.2.3 Dec 3, 2023
chirag-madlani added a commit that referenced this issue Dec 4, 2023
@chirag-madlani
fix: #13735 task assignee should be entity owner if present (#14203)
7b2206c 
* fix: #13735 task assignee should be entity owner if present

* added e2e tests for the same

* do not allow edit asignee in case of entity has owner
@harshach harshach moved this from UI - Bugs & Minor Features to Done in Release 1.2.3 Dec 5, 2023
MrVinegar pushed a commit to MrVinegar/OpenMetadata that referenced this issue Dec 15, 2023
@chirag-madlani
fix: open-metadata#13735 task assignee should be entity owner if pres…
3055f96 
…ent (open-metadata#14203)

* fix: open-metadata#13735 task assignee should be entity owner if present

* added e2e tests for the same

* do not allow edit asignee in case of entity has owner
@AlekseevVadim
Copy link
Contributor Author

@harshach @chirag-madlani
Hello, Team!
I checked version 1.2.3.
The problem is still present.

Is the fix not included in release 1.2.3?
230_after_fix_bug

chirag-madlani added a commit that referenced this issue Dec 25, 2023
@chirag-madlani
fix: #13735 task assignee should be entity owner if present (#14203)
2c90130 
* fix: #13735 task assignee should be entity owner if present

* added e2e tests for the same

* do not allow edit asignee in case of entity has owner

(cherry picked from commit 7b2206c)
@chirag-madlani
Copy link
Collaborator

Hi, @AlekseevVadim Thanks for putting time into validating this.
I somehow missed 1.2.3, So I have added it to 1.2.4. Here the commit: 2c90130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chirag-madlani chirag-madlani

Labels
backend UI UI specific issues
Projects
No open projects
Release 1.2.3
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: #13735 task assignee should be entity owner if present open-metadata/OpenMetadata
4 participants
@harshach @sureshms @chirag-madlani @AlekseevVadim