Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#1378 closed defect (fixed)

HERON executives are not allowed to make sponsorship requests

Reported by: tmcmahon Owned by: dconnolly
Priority: major Milestone: heron-arkansas-update
Component: data-repository Keywords: governance security, public-web
Cc: rwaitman, tmcmahon, badagarla, ngraham Blocked By:
Blocking: #2581 Sensitive: no

Description

While working on #1362, I discovered that the current design allows only faculty to make sponsorship requests. (See test case and oversight_request method ).

Work sketch:

  1. Double-check requirements; is it the HERON IRB protocol that says executives can sponsor others?
  2. Double-check relevant end-user documentation/training materials: are there any? Should there be?
  3. Add a test; fix the bug
    • Give some thought to how this bug remained latent for so long. Do a design review of the HERON governance enforcement design?
  4. Deploy
    • The list of executives seems to have gotten lost in the shuffle; re-assemble it.

Change History (17)

comment:1 Changed 8 years ago by rwaitman

The should be able to sponsor like faculty. If you can't find the names of the executives let me know and I'll see if I can find the list.
Russ

comment:2 Changed 8 years ago by rwaitman

See #321 for the list of people from the hospital who are executives who can sponsor access.

Include
Jim Albertson jalbertson@…
Theresa Neely tneely@…
Jason Kentner jkentner@…
for UKP

comment:3 Changed 8 years ago by dconnolly

Status: newaccepted

comment:4 Changed 8 years ago by dconnolly

[4fad7de8e7b0/raven-j] fixes the code, I think. Let's do some integration testing...
umm... [e81c36d554c3/raven-j] too.

[Fri Oct 05 16:38:19 2012] [error] INFO  [heron_wsgi.cas_auth][MainThread] checkTicket at https://<test app server>.kumc.edu/heron/: no ticket to check.
[Fri Oct 05 16:38:19 2012] [error] INFO  [heron_wsgi.admin_lib.heron_policy][MainThread] issue: CanSponsor(dconnolly) faculty? False executive? True
[Fri Oct 05 16:38:19 2012] [error] INFO  [heron_wsgi.cas_auth][MainThread] CapabilityStyle.permits: CanSponsor(dconnolly) agent
[Fri Oct 05 16:38:19 2012] [error] INFO  [heron_wsgi.admin_lib.heron_policy][MainThread] issue DROC? True
[Fri Oct 05 16:38:19 2012] [error] INFO  [heron_wsgi.heron_srv][MainThread] GET https://<test app server>.kumc.edu/heron/: [('affiliate', CanSponsor(dconnolly)), ('trainingExpiration', '2014-10-01'), ('sponsorship_path', 'https://<test app server>.kumc.edu/heron/build_team/sponsorship'), ('executive', {})]

comment:5 Changed 8 years ago by dconnolly

Resolution: fixed
Status: acceptedclosed

With one further tweak, [0029c2e54280/raven-j], this is fixed and deployed.

Thanks, Nathan, for the extra set of eyeballs.

comment:6 Changed 8 years ago by rwaitman

Resolution: fixed
Status: closedreopened

comment:7 Changed 8 years ago by rwaitman

It still says I am not faculty.

I don't see the links for me to sponsor people or do a DUA. Is this waiting on actual deployment on either our or the IR side?

comment:8 Changed 8 years ago by dconnolly

Resolution: fixed
Status: reopenedclosed

The faculty bug is #1482. This is the executive bug.

comment:9 Changed 8 years ago by rwaitman

Ah... sorry.

comment:10 Changed 7 years ago by dconnolly

Milestone: heron-walnut-updateheron-arkansas-update
Resolution: fixed
Status: closedreopened
Type: defectproblem

Tamara reports March 14, 2014 11:37 AM:

I have exec rights now, but the data and sponsorship request buttons are still not showing up when I log into HERON.

I verified that at least some part of the code knows she has executive rights...

(heron_admin)dconnolly@prod-app-server:/usr/local/heron_admin/heron_wsgi/admin_lib> python heron_policy.py tmcmahon
...
DEBUG:__main__:HeronRecords.grant({'status': Status(current_training='2014-10-01', droc=(I2B2SensitiveUsage(), DecisionRecords()), executive=True, expired_training=None, faculty=False, sponsored=None, system_access_signed=[datetime.datetime(2012, 1, 31, 12, 49, 29)]), 'remote_user': <MedCenter sealed box>, 'badge': Tamara McMahon <tmcmahon@kumc.edu>}, start_i2b2)
...

comment:11 Changed 7 years ago by dconnolly

Keywords: governance,securitygovernance security
Reporter: changed from dconnolly to tmcmahon
Status: reopenedaccepted

comment:12 Changed 7 years ago by dconnolly

Resolution: fixed
Status: acceptedclosed
Type: problemdefect

fixed in [527af52af553/raven-j] and tested on <test app server>

It was broken in a way that suggests testing has been completely inadequate. I wonder how long this has been broken.

comment:13 Changed 7 years ago by dconnolly

Blocking: 2581 added

Nathan, please update production to [527af52af553/raven-j] during the downtime.

comment:14 Changed 7 years ago by ngraham

Resolution: fixed
Status: closedreopened

Dan,

I pointed <test app server> to the new data for milestone:heron-arkansas-update (ticket:2592#comment:10) and I get an "Oops" page when I attempt to log in.

From the REDCap problem report survey, I see the error:

HERON web site crash:"sponsorship_path" not defined

From /var/log/apache2/error_log:

[Wed Mar 26 16:23:18 2014] [error] ERROR [heron_wsgi.heron_srv][MainThread] Exception raised: "sponsorship_path" not defined
[Wed Mar 26 16:23:18 2014] [error] WARNI [heron_wsgi.heron_srv][MainThread] Exception trace:
[Wed Mar 26 16:23:18 2014] [error] Traceback (most recent call last):
...
[Wed Mar 26 16:23:18 2014] [error]   File "/usr/local/heron_admin/heron_wsgi/genshi_render.py", line 25, in __call__
[Wed Mar 26 16:23:18 2014] [error]     return tmpl.generate(**value).render('xhtml')
...
[Wed Mar 26 16:23:18 2014] [error]   File "/usr/local/heron_admin/lib/python2.6/site-packages/Genshi-0.6-py2.6.egg/genshi/template/eval.py", line 410, in undefined
[Wed Mar 26 16:23:18 2014] [error]     raise UndefinedError(key, owner=owner)
[Wed Mar 26 16:23:18 2014] [error] UndefinedError: "sponsorship_path" not defined

I hadn't tried to log in to <test app server> before reconfiguring to point to the new data, but I only (intentionally) changed the usual files as per HeronLoad:

/usr/local/jboss-4.2.2.GA/server/default/deploy/heron-prod2-ds.xml
/usr/local/jboss-4.2.2.GA/server/default/conf/crcapp/CRCApplicationContext.xml
/usr/local/jboss-4.2.2.GA/server/default/conf/crcapp/crc.properties

The deployed code seems up to date with what I was supposed to deploy to production (comment:13):

ngraham@test-app-server:/usr/local/heron_admin> cat .hg_archival.txt
repo: cdad0a8a13f9d7d8920cbe3eecbf8a32c7984ec9
node: 527af52af553a210b26864ea602a886f4e04dfd4
branch: default
latesttag: null
latesttagdistance: 779

I think the error is related to this ticket so re-opening...

comment:15 Changed 7 years ago by dconnolly

Resolution: fixed
Status: reopenedclosed

sigh. again, poor testing.

fixed in [9d4d85d358d3/raven-j]

comment:16 Changed 7 years ago by mhoag

Keywords: public-web added

comment:17 Changed 7 years ago by ngraham

Sensitive: unset
Note: See TracTickets for help on using tickets.