You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jesse McConnell (JIRA)" <ji...@codehaus.org> on 2007/02/08 21:05:44 UTC
[jira] Commented: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87112 ]
Jesse McConnell commented on CONTINUUM-1147:
--------------------------------------------
1) these are all utility functions that can simply go into the ContinuumActionSupport class itself, no need to further subclass from there for these functions I don't think
2) the isAuthorized* methods on the simply return false on a lot of the exceptional conditions, I think they ought to just return a general exception wrapping these exception. And then we could have a general xwork result for these sorts of authorized behaviors that takes you to just one screen that can print out some useful error messages, 'You are unauthorized to access this context.', 'A exception occurred trying to determine if you can access this context.' etc.
3) not sure about all of the private methods on the actions that are simply wrapping up the getting of the project name from the projectId, I would probably just put a prepare() on the action and make sure the projectName is getting populated from the project id in the prepare, double check the xwork interceptor stack to make sure the params are scraped before prepare and that should be just fine, will save a lot of calls to the db to get the project name over and over.
4) I know when I went through these actions before that the methods themselves ought to be protected by different permissions, so I don't think the abstract isAuthorized from the abstract parent is worth having, just wrap up the various protections you have in the ContinuumActionSupport class and I think you'll be in great shape.
I think this approach will bear fruit on making this whole thing a lot more secure, we need to get a security mapping of operations to functionalities on the continuum wiki at some point and this is natural material for that, nice work
longer term I would like to see the action flow secured in a different manner but short of a full refactor of the actions to accommodate that, this is good
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira