User's resource permission not correctly applied

[offtherailz]

See resource 5802 on mapstore dev. GET http://localhost:8081/rest/geostore/resources/resource/5802/permissions (with auth)
returns

{
   "SecurityRuleList":{
      "SecurityRule":[
         {
            "canRead":true,
            "canWrite":false,
            "group":{
               "groupName":"everyone",
               "id":479
            }
         },
         {
            "canRead":true,
            "canWrite":true,
            "user":{
               "id":5138,
               "name":"geosolutions_1"
            }
         }
      ]
   }
}

But logging in with gesolutions_1 and performing this request (add auth):

curl 'http://localhost:8081/rest/geostore/resources/resource/5802' -X PUT -H 'Pragma: no-cache' -H 'Origin: http://localhost:8081' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: it' -H 'Content-Type: application/xml' -H 'Accept: application/json, text/plain, */*' -H 'Cache-Control: no-cache' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36' -H 'Connection: keep-alive' -H 'Referer: http://localhost:8081/?debug=true' --data-binary '<Resource><description></description><metadata></metadata><name>test my dashboard</name></Resource>' --compressed

returns 403 - Forbidden

Can't update resource

and also permission update

curl 'http://localhost:8081/rest/geostore/resources/resource/5802/permissions' -H 'Pragma: no-cache' -H 'Origin: http://localhost:8081' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: it'  -H 'Content-Type: application/xml' -H 'Accept: application/json, text/plain, */*' -H 'Cache-Control: no-cache' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36' -H 'Connection: keep-alive' -H 'Referer: http://localhost:8081/?debug=true' --data-binary '<SecurityRuleList><SecurityRule><canRead>true</canRead><canWrite>false</canWrite><group><id>479</id><groupName>everyone</groupName></group></SecurityRule><SecurityRule><canRead>true</canRead><canWrite>true</canWrite><user><id>5138</id><name>geosolutions_1</name></user></SecurityRule></SecurityRuleList>' --compressed

returns 403 - Forbidden

This user cannot write this resource so neither its permissions!

I think the permission system gets the first permission rule that match. We should try some changes of permission changing the order or the rules to replicate the issue ( e.g. first the group's issue).

[Gnafu]

The curl commands do not include any authentication parameter, did you omit it for the issue?

[offtherailz]

Yes, (with auth), (add auth) means you have to add auth header. Also the other requests need that, but I didn't want to repeat too much