Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6666

Re-shared resource that is revoked by resource owner, re-shared user still has access

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: UMA
    • Labels:
    • Environment:
      Centos 7
      Java 8
      Tomcat

      Description

      Scenario is to have a user A, who shares a resource with user B. User B then re-shares to user C. B and C can both access the resource. If A revokes B's access I would expect neither B nor C to have access.

      Steps to reproduce:

      1) Register a resource as A
      2) Share the resource with B
      3) Log in as B, re-share the resource with C
      4) Confirm that both B and C can access the resource
      5) Log in as A, revoke B's access (note that A can't see C's access, so this is all they can revoke)
      6) Attempt to access the resource as B - denied
      7) Attempt to access the resource as C - allowed.

      I would expect C's access to be denied once B's access is revoked.

      Note we are using a nightly snapshot: OpenAM 13.0.0-SNAPSHOT Build 14956 (2015-August-05 02:52)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jamiec@datacom.co.nz Jamie Cavanaugh [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: