I’ve created an application in Cuba (version 6.10.1), and defined several Roles.
The default Role is a role which is Denying and is not allowed to do anything. Besides that, I have created several other roles that can be assigned to users that enables specific functionality for that role. Several users got assigned the role that they need.
The problem I’m facing is that every new user gets the Administrator role assigned automatically after each new login, regardless of the role that were assigned to that user. How is this possible, and how can this be avoided?
I have already tried the following:
- Make the Administrator role not the default role
- Create a new role that is Denying and make this the default role
- Remove the Administrator Role
Could you clarify how have you decided that Administrators role is assigned to the users? Do they have the role name in the
UserSession.getRoles() collection? Or do they have some permissions available only to this role?
All the users had the permissions (menus etc) available that belonged to the Administrator role, so they can do much more than they should.
In the meantime I found out that the reason can be found in the external LDAP plugin. This plugin gives every user the Administrator role via the default rule. I can’t see how I can avoid that via this plugin.
The only thing I want is to let users be authenticated against LDAP, but the user roles should not be adjusted by the LDAP plugin.
I also tried to use the Basic LDAP authentication, without the external plugin. When using the same parameters for URL, Base DN, User en Password I get an error when users try to authenticate (c.h.c.w.a.loginwindow.AppLoginWindow - Login failed: com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password) .
With the external LDAP plugin, authenticating goes well but they get assigned an user role what I don’t want.
I managed to solve my problem by reverting to the basic LDAP authentication, and disabling/removing the LDAP addon.