A user can be made group admin without specifying a set of groups to admin

Description

When editing users, it’s possible to give them the ROLE_GROUP_ADMIN without setting a list of groups to administer. Saving is allowed, but coming back to edit will NPE as the AbstractUserPage searches for such list assuming it cannot be null. Recovery is possible only editing the user service config directly.

We should have both validation on save, and tolerance for no group list.

Environment

None

Linked work items

relates to

GEOS-9004

Edit user administrator for groups displays misleading information

Activity

Jody Garnett

May 7, 2024 at 5:45 PM

This problem was re-confirmed in PSC meeting today from an empty data directory (so no risk of defaults getting in the way, only the raw software).

Created a test user
Provided GROUP_ADMIN role
User was able to see the User / Group / Role screen
Unable to create a new user, due to lacking permission

Resize issue view side panel

Details

Assignee

Unassigned

Reporter

Andrea Aime

Priority

Medium

Created April 14, 2023 at 10:04 AM

Updated May 7, 2024 at 9:05 PM