-
Bug
-
Resolution: Fixed
-
Low
-
2.10.1
-
16
-
Severity 3 - Minor
-
4
-
Description
When the user tries to disable a user from a delegated user directory, it will get an error stating that the directory is read-only. The delegated directory is configured with read and write permission.
Environment
- Confluence v6.1.0
- Embedded Crowd v2.10
- Embedded Crowd v2.3.3
Steps to reproduce
- Configure a delegated directory in Confluence
- Login with the delegated user to copy the user details to Confluence database
- Logout and login as the Confluence admin
- Go to the delegated user profile and disable the user
Expected Behavior
The user is disabled
Actual Result
Following error message appears in the logs.
2017-05-11 06:52:56,972 ERROR [http-nio-8080-exec-2] [confluence.user.crowd.CrowdDisabledUserManager] disableUser Could not disable user -- referer: http://confluence.ju.globaz.ch/admin/users/deactivateuser.action?username=jpa | url: /admin/users/deactivateuser-confirm.action | traceId: 3c79ebb000d44063 | userName: RPE | action: deactivateuser-confirm com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update user 'jpa' because directory 'Delegated LDAP Authentication' does not allow updates. Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update user 'jpa' because directory 'Delegated LDAP Authentication' does not allow updates.
After some investigation, it turns out Delegated Directory does not have "'UPDATE_USER'" permission in the database, inside the "CWD_DIRECTORY" table. This can be checked by the following SQL query:
SELECT COUNT(*) FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D WHERE O.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>';
Note
- This issue does not happen in Confluence 6.0.3
- Which was having Embedded Crowd version 2.8.8
Workaround
Run the following query to check if the permission granted for the directory.
#Query 1 SELECT COUNT(*) FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D WHERE O.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>'; #Query 2 SELECT COUNT(*) FROM CWD_APP_DIR_OPERATION O, CWD_APP_DIR_MAPPING M, CWD_DIRECTORY D WHERE O.APP_DIR_MAPPING_ID=M.ID AND M.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>';
If the result of the query is less than 12, please insert the missing permission with the following query.
INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP_ATTRIBUTE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE_ATTRIBUTE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER_ATTRIBUTE');
Replace the <directory-id> with the problematic directory. For more details, please refer to this documentation.
Please note that modifying the database is dangerous and do remember to generate a database dump before performing it.
There is a bug reported in Confluence regarding the same limitation and adding extra permission into the Delegated Directory will result in some other issues such as users will be able to update their email address due to the UPDATE_USER permission being granted.
It would be better to follow the workaround in https://jira.atlassian.com/browse/CONFSERVER-55889 and disabling the users manually from database