You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by he...@gsa.gov on 2007/07/31 20:23:10 UTC

Access to Comment Management page through email link results in Permission Denied except for global administrator

Use Case:
Blog entry creator clicks on "Link to comment management page:" in the 
email and enters Comment Management page.

Result:
Only global administrator can access Comment Management page, other users 
get a "Permission Denied" page.

Reason:
The code snippet is quoted from CommentManagementAction:query() method. 
The logic expects weblog handle in request but the email link does not 
provide it.
        if (rreq.getWebsite() != null && 
rses.isUserAuthorized(rreq.getWebsite())) {
            fwd =  mapping.findForward("commentManagement.page");
        }
        // Ensure only global admins can see all comments
        else if (rses.isGlobalAdminUser()) {
            fwd =  mapping.findForward("commentManagementGlobal.page");
        } 
        else {
            // And everybody else gets...
            return mapping.findForward("access-denied");
        } 
The email sends to a blog entry creator has a link to Comment Management 
page. This link is sent to roller-ui/authoring/commentManagement.do and 
contains two parameters, method and entryId. The 
CommentManagementAction:query() expects to find a weblog handle in request 
object to check for authorization but it could not find one, that breaks 
the if clause. Only the global administrator satisfies the else clause. 
Other users will be forward to "access-denied" page.

Suggest Fix:
The email link is generated by the sendEmailNotification() method in 
src\org\apache\roller\ui\rendering\servlets\CommentServlet.java and I 
quote:
 
deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query&entryId=" 
+ entry.getId());
Add weblog handle to this link:
 deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query" 
+ "&weblog=" + site.getName() + "&entryId=" + entry.getId());
The weblog handle will be passed from email link into the request object 
and can be checked for authorization. The entryId can be used to bring up 
comment management page for this entry.

I'll log this bug in the "Roller Weblogger JIRA" and hope you can fix it 
in the next release.

-hc