Content
New installation of 9.0.1 (and 9.0.2) presents all non-admin users with 403 not authorized
Added by James Zuelow almost 6 years ago
This is probably a newbie config issue, but it has me stumped. None of my non-admin users are able to use the product, receiving HTTP 403 not authorized errors on any page other than the landing page.
Yesterday I built a Debian 9 system. The system is very basic - it is a basic install with no X. (In the tasksel screen I only leave the SSH server and basic system options checked.) I replace Exim with Postfix, add vim, install cron-apt, changetrack, logwatch, ntpd, and logwatch.
Then I ran through the OpenProject Debian 9 install, which pulled down the dependencies needed for OpenProject.
I was able to log in with the built-in admin account. At that point I created a second admin user. Testing consisted of running through the introductory tour, clicking through the demo project walkthrough. This worked fine.
Finally I set up LDAP authentication, tested it, and LDAP works fine.
LDAP config is pretty basic. I'm connecting to AD, so:
Login: sAMAccountName
First Name: givenName
Last Name: sn
Email: mail
Admin: (blank)
I've made minimal changes to the configuration:
- Enabled LDAP 'on-the-fly' user creation.
- Selected 'disabled' for self registration in system settings -> authentication
- Selected 'user accounts deletable by admins' in system settings -> users
Changes 1 and 2 might seem to be contradictory, but when LDAP users log in their account status shows as "active" when I inspect the users with the admin account. (I really just want to limit access to LDAP and manually created admin accounts only, and hide the 'create account' dialog.)
With this config, any LDAP user that connects is allowed to choose a default language. Then the introduction tour starts, and prompts them to chose one of the demo projects.
As soon as an LDAP user clicks on the demo project or demo scrum, they are presented with a 403 not authorized error.
No matter where I look I can't find a way to configure access beyond the initial screen. I have tried setting system settings -> authentication -> self registration to "automatic account activation" to match up with the LDAP "on-the-fly" user creation, but this does not help.
I've even purged openproject, postgresql, and apache2 (running rm -rf against any remaining directory trees or config files) twice. Re-installing from scratch does not help.
So I'm assuming there is a basic step that I've not completed or have gotten wrong. Can someone point me in the right direction?
Replies (2)
Purge of openproject, postgresql, apache2 and re-install with the new 9.0.2 displays the same behavior.
Non-admin users, including manually created non-admin users, see a 403 on any page other than the main landing page.
OK, after much log tailing, exploring, and reading I finally realized it was simple misconceptions on my part:
A "global" role does not apply to all users globally, so the Project Creator role is not automatically granted to new LDAP users. Those users are created, but must still be granted individual permissions. Additionally, at least with the community edition, users can not be given default roles or groups.
The demo project and demo scrum can be made available to automatically created LDAP users by making those projects public. This is an easy fix, but the demo projects are not automatically set up that way. (Perhaps that would be a feature request though - it makes sense that the demonstration projects would be.)
Sorry for the bandwidth!