You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by David Jencks <da...@yahoo.com> on 2008/02/13 00:16:28 UTC
Questions about permissions
I started looking at the UserManager and Permissions and have a
couple immediate questions...
Is the set of possible actions finite and known (when roller is
compiled) or is it extensible by the user? If it's known I'm going
to propose essentially a bitset implementation for actions.
Are the following really intentional?
new GlobalPermission(Arrays.emptyList()).implies(new GlobalPermission
(Arrays.singletonList("ADMIN"))) == true
new GlobalPermission(Arrays.singletonList("FOO")).implies(new
GlobalPermision(Arrays.singletonList("BAR"))) == true
and many other similar examples with WebLogPermission. This seems to
me like asking for trouble.
thanks
david jencks
Re: Questions about permissions
Posted by David Jencks <da...@yahoo.com>.
On Feb 13, 2008, at 3:18 PM, David Jencks wrote:
>
> On Feb 13, 2008, at 3:01 PM, Dave wrote:
>
>> On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>>>
>>> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>>>
>>>> I started looking at the UserManager and Permissions and have a
>>>> couple immediate questions...
>>>>
>>>> Is the set of possible actions finite and known (when roller is
>>>> compiled) or is it extensible by the user? If it's known I'm going
>>>> to propose essentially a bitset implementation for actions.
>>>>
>>>> Are the following really intentional?
>>>
>>> oops, these are supposed to be Collections.singletonList() etc.
>>>>
>>>> new GlobalPermission(Arrays.emptyList()).implies(new
>>>> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>>>>
>>>> new GlobalPermission(Arrays.singletonList("FOO")).implies(new
>>>> GlobalPermision(Arrays.singletonList("BAR"))) == true
>>>>
>>>> and many other similar examples with WebLogPermission. This seems
>>>> to me like asking for trouble.
>>>
>>> Similarly, is the name really supposed to be ignored in both implies
>>> methods?
>>>
>>> new WebLogPermission(wl1, Collections.singletonList
>>> ("Admin")).implies
>>> (new WebLogPermission(wl2, Collections.singletonList("Admin")))
>>> == true
>>>
>>> similarly for GlobalPermission's user...
>>>
>>> etc etc
>>
>> No. That definitely looks like a bug.
>
> I'm working on a fairly major security-revamping proposal that will
> fix this as a side effect.... hope to have something in a day or two.
The patch on ROLLER-1680 fixes these and many other problems,
although of course it might introduce lots of new ones.
thanks
david jencks
>
> thanks
> david jencks
>
>>
>> - Dave
>
Re: Questions about permissions
Posted by David Jencks <da...@yahoo.com>.
On Feb 13, 2008, at 3:01 PM, Dave wrote:
> On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>>
>> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>>
>>> I started looking at the UserManager and Permissions and have a
>>> couple immediate questions...
>>>
>>> Is the set of possible actions finite and known (when roller is
>>> compiled) or is it extensible by the user? If it's known I'm going
>>> to propose essentially a bitset implementation for actions.
>>>
>>> Are the following really intentional?
>>
>> oops, these are supposed to be Collections.singletonList() etc.
>>>
>>> new GlobalPermission(Arrays.emptyList()).implies(new
>>> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>>>
>>> new GlobalPermission(Arrays.singletonList("FOO")).implies(new
>>> GlobalPermision(Arrays.singletonList("BAR"))) == true
>>>
>>> and many other similar examples with WebLogPermission. This seems
>>> to me like asking for trouble.
>>
>> Similarly, is the name really supposed to be ignored in both implies
>> methods?
>>
>> new WebLogPermission(wl1, Collections.singletonList("Admin")).implies
>> (new WebLogPermission(wl2, Collections.singletonList("Admin"))) ==
>> true
>>
>> similarly for GlobalPermission's user...
>>
>> etc etc
>
> No. That definitely looks like a bug.
I'm working on a fairly major security-revamping proposal that will
fix this as a side effect.... hope to have something in a day or two.
thanks
david jencks
>
> - Dave
Re: Questions about permissions
Posted by Dave <sn...@gmail.com>.
On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>
> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>
> > I started looking at the UserManager and Permissions and have a
> > couple immediate questions...
> >
> > Is the set of possible actions finite and known (when roller is
> > compiled) or is it extensible by the user? If it's known I'm going
> > to propose essentially a bitset implementation for actions.
> >
> > Are the following really intentional?
>
> oops, these are supposed to be Collections.singletonList() etc.
> >
> > new GlobalPermission(Arrays.emptyList()).implies(new
> > GlobalPermission(Arrays.singletonList("ADMIN"))) == true
> >
> > new GlobalPermission(Arrays.singletonList("FOO")).implies(new
> > GlobalPermision(Arrays.singletonList("BAR"))) == true
> >
> > and many other similar examples with WebLogPermission. This seems
> > to me like asking for trouble.
>
> Similarly, is the name really supposed to be ignored in both implies
> methods?
>
> new WebLogPermission(wl1, Collections.singletonList("Admin")).implies
> (new WebLogPermission(wl2, Collections.singletonList("Admin"))) == true
>
> similarly for GlobalPermission's user...
>
> etc etc
No. That definitely looks like a bug.
- Dave
Re: Questions about permissions
Posted by David Jencks <da...@yahoo.com>.
On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
> I started looking at the UserManager and Permissions and have a
> couple immediate questions...
>
> Is the set of possible actions finite and known (when roller is
> compiled) or is it extensible by the user? If it's known I'm going
> to propose essentially a bitset implementation for actions.
>
> Are the following really intentional?
oops, these are supposed to be Collections.singletonList() etc.
>
> new GlobalPermission(Arrays.emptyList()).implies(new
> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>
> new GlobalPermission(Arrays.singletonList("FOO")).implies(new
> GlobalPermision(Arrays.singletonList("BAR"))) == true
>
> and many other similar examples with WebLogPermission. This seems
> to me like asking for trouble.
Similarly, is the name really supposed to be ignored in both implies
methods?
new WebLogPermission(wl1, Collections.singletonList("Admin")).implies
(new WebLogPermission(wl2, Collections.singletonList("Admin"))) == true
similarly for GlobalPermission's user...
etc etc
thanks again
>
> thanks
> david jencks
>