RE: Permissions

["Franklin, Matthew B." <mf...@mitre.org>]

>-----Original Message-----
>From: Chris Geer [mailto:chris@cxtsoftware.com]
>Sent: Friday, August 31, 2012 3:20 AM
>To: dev
>Subject: Permissions
>
>All, in reviewing the permissions of some objects I have a concern about
>how create_or_update is being used. For example, in
>WidgetCommentService
>the save method looks like this:
>
>    @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
>    void saveWidgetComment(WidgetComment widgetComment);
>
>When looking at the permission evaluator it has this logic
>
>            case CREATE:
>            case CREATE_OR_UPDATE:
>                hasPermission = isWidgetCommentOwnerById(authentication,
>widgetComment.getUser().getId());
>                break;
>            case DELETE:
>            case UPDATE:
>                // anyone can create, delete, read, or update a page that
>they own
>                hasPermission = isWidgetCommentOwner(authentication,
>widgetComment, trustedWidgetCommentContainer, trustedDomainObject);
>                break;
>
>So, CREATE and CREATE_OR_UPDATE have the same permission check (to see
>if
>the userID of the user and the object passed in match). This is very
>different than the update method which actually retrieves the DB version of
>the object and checks the user ID on that against the logged in user.

IMO, CREATE_OR_UPDATE does not make sense in this context.  The above check seems to make sense for a CREATE permission only.

>
>I think the UI is properly protecting the resource in question but the WS
>doesn't seem to be. Also, ironically, the update method doesn't actually
>check to see if the userID from the DB matches the userID of the passed in
>object. Maybe that is caught later.
>
>Let me know if I'm missing something since I didn't write this original
>code. If this is really a problem this isn't the only place. For example
>see [1]
>
>Chris
>
>
>[1] https://issues.apache.org/jira/browse/RAVE-781