You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by "Greg Huber (JIRA)" <ji...@apache.org> on 2009/02/06 09:30:12 UTC
[jira] Commented: (ROL-1717) ui security 4.1 dev (trunk) does not
seem to work.
[ https://issues.apache.org/roller/browse/ROL-1717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14522#action_14522 ]
Greg Huber commented on ROL-1717:
---------------------------------
Looking at this it seems to be mixing the admin check on weblog permissions object. Something like this as a workaround that seems to work (but not ideal):
...
} else if (hasAction(WEBLOG)) {
if (perm instanceof GlobalPermission) {
// Best we've got is WEBLOG, so make sure perm doesn't
// specify ADMIN
for (String action : rperm.getActionsAsList()) {
if (action.equals(ADMIN))
return false;
}
} else if (perm instanceof WeblogPermission) {
// Best we've got is WEBLOG, so make sure perm doesn't
// specify ADMIN
for (String action : rperm.getActionsAsList()) {
if (action.equals(WeblogPermission.ADMIN))
return false;
}
} else {
return false;
}
} else if (hasAction(LOGIN)) {...
> ui security 4.1 dev (trunk) does not seem to work.
> --------------------------------------------------
>
> Key: ROL-1717
> URL: https://issues.apache.org/roller/browse/ROL-1717
> Project: Roller
> Issue Type: Bug
> Affects Versions: 5.0
> Environment: Fedora 8 MySql
> Reporter: Greg Huber
> Assignee: Roller Unassigned
>
> To reproduce the error:
> Need two users testuser and testuser1. Create entry on testuser1
>
> Login as testuser navigate to entries:
>
> http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog=testuser
>
> then in the URL type testuser1:
>
> http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog= testuser1
>
> press enter
>
> it will show all the entries, edit one and save which is wrong.
> ####
> The code has changed alot from 4.0, so it looks like a refactor bug.
> It seems to be going wrong on the JPAUserManagerImpl checkPermission(..) globalPerm.implies(perm).
> Debugging, the existingPerm is null which is correct, as test1 has no authority to test:
> existingPerm = getWeblogPermission(permToCheck.getWeblog(), user);
> But it then returns true on the globalPerm:
> if (globalPerm.implies(perm)) return true;
> The global perms are:
> GlobalPermission: login comment weblog
> but from the implies how does this relate to the test weblog? It builds the roles from test1.
> public boolean implies(Permission perm) {
> if (perm instanceof RollerPermission) {
> RollerPermission rperm = (RollerPermission)perm;
>
> if (hasAction(ADMIN)) {
> // admin implies all other permissions
> return true;
>
> } else if (hasAction(WEBLOG)) {
> // Best we've got is WEBLOG, so make sure perm doesn't specify ADMIN
> for (String action : rperm.getActionsAsList()) {
> if (action.equals(ADMIN)) return false;
> }
>
> } else if (hasAction(LOGIN)) {
> // Best we've got is LOGIN, so make sure perm doesn't specify anything else
> for (String action : rperm.getActionsAsList()) {
> if (action.equals(WEBLOG)) return false;
> if (action.equals(ADMIN)) return false;
> }
> }
> return true;
> }
> return false;
> }
> Maybe I am missing something?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.