You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by he...@gsa.gov on 2007/07/31 20:23:10 UTC
Access to Comment Management page through email link results in
Permission Denied except for global administrator
Use Case:
Blog entry creator clicks on "Link to comment management page:" in the
email and enters Comment Management page.
Result:
Only global administrator can access Comment Management page, other users
get a "Permission Denied" page.
Reason:
The code snippet is quoted from CommentManagementAction:query() method.
The logic expects weblog handle in request but the email link does not
provide it.
if (rreq.getWebsite() != null &&
rses.isUserAuthorized(rreq.getWebsite())) {
fwd = mapping.findForward("commentManagement.page");
}
// Ensure only global admins can see all comments
else if (rses.isGlobalAdminUser()) {
fwd = mapping.findForward("commentManagementGlobal.page");
}
else {
// And everybody else gets...
return mapping.findForward("access-denied");
}
The email sends to a blog entry creator has a link to Comment Management
page. This link is sent to roller-ui/authoring/commentManagement.do and
contains two parameters, method and entryId. The
CommentManagementAction:query() expects to find a weblog handle in request
object to check for authorization but it could not find one, that breaks
the if clause. Only the global administrator satisfies the else clause.
Other users will be forward to "access-denied" page.
Suggest Fix:
The email link is generated by the sendEmailNotification() method in
src\org\apache\roller\ui\rendering\servlets\CommentServlet.java and I
quote:
deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query&entryId="
+ entry.getId());
Add weblog handle to this link:
deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query"
+ "&weblog=" + site.getName() + "&entryId=" + entry.getId());
The weblog handle will be passed from email link into the request object
and can be checked for authorization. The entryId can be used to bring up
comment management page for this entry.
I'll log this bug in the "Roller Weblogger JIRA" and hope you can fix it
in the next release.
-hc