Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow user to unlock a tree that has been locked for editing by another #3231

Closed
RustedKnight opened this issue Feb 4, 2020 · 3 comments
Closed
Assignees
Labels
bug Undesired behaviour resolved A fixed issue
Milestone

Comments

@RustedKnight
Copy link

As my orginization is working through a migration from 0.8x to 1.2.x we have come across a potential vulnerability. One of my co-admins and I were discussing this. While we see the need to lock a tree for editing by a single person we can see how this would be a major risk. For example, say there is a rouge employee that due to the nature of their job they have to have admin rights. It would be possible for them to lock every tree for editing then remove their account and quit via no call no show. This would essentially render the entire tree structure unusable. Would it be possible to create a privilege that would allow a few select accounts to unlock trees that are already locked so that in the event of something like this the tree structure can be recovered?

@netniV
Copy link
Member

netniV commented Feb 4, 2020

I'm not sure whether such functionality exists or not, I'd have to take a look tomorrow. Certainly, I do not recall a privilege for it, but there may be a CLI method. If not, we should certainly look to enhance that in 1.3. Until it's decided one way or the other, I'm going to tag unverified as I don't just want to slap the enhancement tag on unnecessarily.

@netniV netniV added the unverified Some days we don't have a clue label Feb 4, 2020
@RustedKnight
Copy link
Author

RustedKnight commented Feb 5, 2020

I'm not saying it has to be a privilege that can be set. Perhaps it may be easier to set a sunset on the lock. For example, if a tree is locked for 2 hours check to see if the editing page is still open, if it is not open auto unlock or maybe if a tree is locked for editing for say greater than 12 hours auto unlock it. I just know we stumbled across a situation that brought this conversation up and I wanted to pass it along as it seemed a valid concern and based on our testing it could be a problem. I do however concede that our testing is GUI based only up to this point. If you find a way, even if it is only through command line then I am all ears.

@netniV netniV self-assigned this Feb 5, 2020
@TheWitness TheWitness added bug Undesired behaviour and removed unverified Some days we don't have a clue labels Mar 14, 2020
@TheWitness TheWitness added this to the 1.2.11 milestone Mar 14, 2020
TheWitness added a commit that referenced this issue Mar 14, 2020
Ability to unlock a tree that has been locked for editing by another account.
@TheWitness
Copy link
Member

Resolved.

@TheWitness TheWitness added the resolved A fixed issue label Mar 14, 2020
@netniV netniV changed the title Ability to unlock a tree that has been locked for editing by another account. Allow user to unlock a tree that has been locked for editing by another Apr 5, 2020
@github-actions github-actions bot locked and limited conversation to collaborators Jul 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

3 participants