[OPENAM-6666] Re-shared resource that is revoked by resource owner, re-shared user still has access Created: 23/Aug/15  Updated: 28/Aug/19  Resolved: 28/Aug/19

Status: Closed
Project: OpenAM
Component/s: UMA
Affects Version/s: 13.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jamie Cavanaugh [X] (Inactive) Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Centos 7
Java 8

Issue Links:
is duplicated by OPENAM-8131 Third user can still access resource ... Closed


Scenario is to have a user A, who shares a resource with user B. User B then re-shares to user C. B and C can both access the resource. If A revokes B's access I would expect neither B nor C to have access.

Steps to reproduce:

1) Register a resource as A
2) Share the resource with B
3) Log in as B, re-share the resource with C
4) Confirm that both B and C can access the resource
5) Log in as A, revoke B's access (note that A can't see C's access, so this is all they can revoke)
6) Attempt to access the resource as B - denied
7) Attempt to access the resource as C - allowed.

I would expect C's access to be denied once B's access is revoked.

Note we are using a nightly snapshot: OpenAM 13.0.0-SNAPSHOT Build 14956 (2015-August-05 02:52)

Generated at Fri Oct 23 08:29:21 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.