Linked Schemas and Permissions: /home/Support/LabKey Support Forum

Linked Schemas and Permissions

LabKey Support Forum (Inactive)

View Message

Linked Schemas and Permissions

Will Holtz

2017-02-14 17:28

Status: Closed

I have two projects on my server:
Main - where all data writing occurs, only authenticated users have access
Display -Guests have reader access

I have a query derived from an assay run table within Main. The query is exposed to Display using a linked schema. When I try to view the data in the linked schema in an unauthenticated session, I get the error: "Table or query not found: MyLinkedSchema." But when an authenticated user accesses the linked schema, from within the Display project, the data shows up. This is on v16.3.

Any ideas what I'm doing wrong? Thanks!

-Will

Jon (LabKey DevOps) responded:	2017-02-15 23:19
Hi Will, So far, I haven't been able to reproduce this locally on my build of Trunk. But can you confirm that I'm setting up a good repro? I did the following: 1. Created two projects: - Main (Folder Type: Assay) - Display (Folder Type: Collaboration) 2. Created a GPAT assay under Main and added some very basic information to it to produce Assay Data. 3. Gave the Display project Reader permission to "Site: Guests" 4. Created a Linked Schema to Main from Display, specifically using the Assay Data 5. Added a Query Web Part into Display and had it point to the Linked Schema. 6. Used an incognito browser to view the Display project without logging in, effectively making me a guest on the Project. The Query Web Part rendering the grid from the Linked Schema appears without any errors. Is that close to what you were doing or was it something else like a selectRows API call? Regards, Jon

Will Holtz responded:	2017-02-16 18:09
Hi Jon, Thanks for trying to reproduce this. Unfortunately, I have spent several hours trying to come up with a small repro but have not been successful. However, I have narrowed my problem down a bit and have found another path to the same goal that does have a nice repro. 1. Created two projects: - Main (Folder Type: Assay) - Display (Folder Type: Collaboration) 2. In Main create a list, ListA with a field Name 3. Insert one row into ListA with Name ='A1' 4. In Main create a list, ListB with a field 'Foo' that is a lookup to ListA 5. Insert one row into ListB with Foo=1 ('A1') 6. Give the Display project Reader permission to "Site: Guests" 7. Create a Linked Schema to Main from Display, giving access to ListB 8. Add a Query Web Part into Display and point it to the Linked Schema. 9. View the Query Web Part in Display as an authenticated user. Note that 'A1' is displayed in the Foo column 10. Use an incognito browser to view the Display project without logging in, effectively making me a guest on the Project. Note that '1' is displayed in the Foo column. I expected both the guest and authenticated user to see 'A1' in the Foo column. Is that incorrect? thanks! -Will

Will Holtz responded:	2017-02-16 18:35
Oops - I forgot to add that at step 7 I added the following metadata: <tables xmlns="http://labkey.org/data/xml"> <table tableName="ListB" tableDbType="NOT_IN_DB"> <columns> <column columnName="Foo"> <fk> <fkFolderPath>/Main</fkFolderPath> <fkColumnName>Key</fkColumnName> <fkDbSchema>Lists</fkDbSchema> <fkTable>ListA</fkTable> <fkDisplayColumnName>Name</fkDisplayColumnName> </fk> </column> </columns> </table> </tables> -Will

Jon (LabKey DevOps) responded:	2017-03-09 20:42
Hi Will, Sorry for the delay. You're right, it appears that the Metadata is just completely ignored. When I removed the MetaData, both incognito and logged in session looked identical for the field. It was only when the metadata is used does it work for the authenticated user and not the guest. I'll get this written up into a bug. The expectation is that this should work regardless. Regards, Jon

Jon (LabKey DevOps) responded:	2017-03-09 20:52
Bug created: https://www.labkey.org/home/Developer/issues/issues-details.view?issueId=29649

Will Holtz responded:	2017-03-10 07:42
thanks Jon! -Will

Jon (LabKey DevOps) responded:	2017-06-24 21:25
Hi Will, So this appears to be by design. Per our developers answer: ========= Given the way the user set up the metadata in the thread (which is a key repro step), here's what's going on. This is By Design, I think. The Linked Schema is set up with only ListB published, not ListA. The user set up the metadata to reference folder Main directly. Therefore, when viewing the ListB in Display as a Guest, you don't have permission to see Main and therefore don't. If you change the metadata to not reference Main, well, nobody can see A1, since you're still looking at the Lists schema (which would be in Display) ListA cannot be found. If you take away the reference to the Lists schema, it's looking in the same schema, which is the linked schema, and ListA cannot be found. If you now add ListA to the linked schema, and the metadata is like this: <tables xmlns="http://labkey.org/data/xml"> <table tableName="ListB" tableDbType="NOT_IN_DB"> <columns> <column columnName="Foo"> <fk> <fkColumnName>Key</fkColumnName> <fkTable>ListA</fkTable> <fkDisplayColumnName>Name</fkDisplayColumnName> </fk> </column> </columns> </table> </tables> Then it works. In this case the FK references the same (linked) schema and ListA is published there, and the guest user has permission for the Display folder, so it works. ========= Regards, Jon