You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by David Jencks <da...@yahoo.com> on 2008/02/13 00:16:28 UTC

Questions about permissions

I started looking at the UserManager and Permissions and have a  
couple immediate questions...

Is the set of possible actions finite and known (when roller is  
compiled) or is it extensible by the user?  If it's known I'm going  
to propose essentially a bitset implementation for actions.

Are the following really intentional?

new GlobalPermission(Arrays.emptyList()).implies(new GlobalPermission 
(Arrays.singletonList("ADMIN"))) == true

new GlobalPermission(Arrays.singletonList("FOO")).implies(new  
GlobalPermision(Arrays.singletonList("BAR"))) == true

and many other similar examples with WebLogPermission.  This seems to  
me like asking for trouble.

thanks
david jencks

Re: Questions about permissions

Posted by David Jencks <da...@yahoo.com>.

On Feb 13, 2008, at 3:18 PM, David Jencks wrote:

>
> On Feb 13, 2008, at 3:01 PM, Dave wrote:
>
>> On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>>>
>>> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>>>
>>>> I started looking at the UserManager and Permissions and have a
>>>> couple immediate questions...
>>>>
>>>> Is the set of possible actions finite and known (when roller is
>>>> compiled) or is it extensible by the user?  If it's known I'm going
>>>> to propose essentially a bitset implementation for actions.
>>>>
>>>> Are the following really intentional?
>>>
>>> oops, these are supposed to be Collections.singletonList() etc.
>>>>
>>>> new GlobalPermission(Arrays.emptyList()).implies(new
>>>> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>>>>
>>>> new GlobalPermission(Arrays.singletonList("FOO")).implies(new
>>>> GlobalPermision(Arrays.singletonList("BAR"))) == true
>>>>
>>>> and many other similar examples with WebLogPermission.  This seems
>>>> to me like asking for trouble.
>>>
>>> Similarly, is the name really supposed to be ignored in both implies
>>> methods?
>>>
>>> new WebLogPermission(wl1, Collections.singletonList 
>>> ("Admin")).implies
>>> (new WebLogPermission(wl2, Collections.singletonList("Admin")))  
>>> == true
>>>
>>> similarly for GlobalPermission's user...
>>>
>>> etc etc
>>
>> No. That definitely looks like a bug.
>
> I'm working on a fairly major security-revamping proposal that will  
> fix this as a side effect.... hope to have something in a day or two.

The patch on ROLLER-1680 fixes these and many other problems,  
although of course it might introduce lots of new ones.

thanks
david jencks

>
> thanks
> david jencks
>
>>
>> - Dave
>

Re: Questions about permissions

Posted by David Jencks <da...@yahoo.com>.

On Feb 13, 2008, at 3:01 PM, Dave wrote:

> On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>>
>> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>>
>>> I started looking at the UserManager and Permissions and have a
>>> couple immediate questions...
>>>
>>> Is the set of possible actions finite and known (when roller is
>>> compiled) or is it extensible by the user?  If it's known I'm going
>>> to propose essentially a bitset implementation for actions.
>>>
>>> Are the following really intentional?
>>
>> oops, these are supposed to be Collections.singletonList() etc.
>>>
>>> new GlobalPermission(Arrays.emptyList()).implies(new
>>> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>>>
>>> new GlobalPermission(Arrays.singletonList("FOO")).implies(new
>>> GlobalPermision(Arrays.singletonList("BAR"))) == true
>>>
>>> and many other similar examples with WebLogPermission.  This seems
>>> to me like asking for trouble.
>>
>> Similarly, is the name really supposed to be ignored in both implies
>> methods?
>>
>> new WebLogPermission(wl1, Collections.singletonList("Admin")).implies
>> (new WebLogPermission(wl2, Collections.singletonList("Admin"))) ==  
>> true
>>
>> similarly for GlobalPermission's user...
>>
>> etc etc
>
> No. That definitely looks like a bug.

I'm working on a fairly major security-revamping proposal that will  
fix this as a side effect.... hope to have something in a day or two.

thanks
david jencks

>
> - Dave

Re: Questions about permissions

Posted by Dave <sn...@gmail.com>.

On Feb 12, 2008 6:31 PM, David Jencks <da...@yahoo.com> wrote:
>
> On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
>
> > I started looking at the UserManager and Permissions and have a
> > couple immediate questions...
> >
> > Is the set of possible actions finite and known (when roller is
> > compiled) or is it extensible by the user?  If it's known I'm going
> > to propose essentially a bitset implementation for actions.
> >
> > Are the following really intentional?
>
> oops, these are supposed to be Collections.singletonList() etc.
> >
> > new GlobalPermission(Arrays.emptyList()).implies(new
> > GlobalPermission(Arrays.singletonList("ADMIN"))) == true
> >
> > new GlobalPermission(Arrays.singletonList("FOO")).implies(new
> > GlobalPermision(Arrays.singletonList("BAR"))) == true
> >
> > and many other similar examples with WebLogPermission.  This seems
> > to me like asking for trouble.
>
> Similarly, is the name really supposed to be ignored in both implies
> methods?
>
> new WebLogPermission(wl1, Collections.singletonList("Admin")).implies
> (new WebLogPermission(wl2, Collections.singletonList("Admin"))) == true
>
> similarly for GlobalPermission's user...
>
> etc etc

No. That definitely looks like a bug.

- Dave

Re: Questions about permissions

Posted by David Jencks <da...@yahoo.com>.

On Feb 12, 2008, at 3:16 PM, David Jencks wrote:

> I started looking at the UserManager and Permissions and have a  
> couple immediate questions...
>
> Is the set of possible actions finite and known (when roller is  
> compiled) or is it extensible by the user?  If it's known I'm going  
> to propose essentially a bitset implementation for actions.
>
> Are the following really intentional?

oops, these are supposed to be Collections.singletonList() etc.
>
> new GlobalPermission(Arrays.emptyList()).implies(new  
> GlobalPermission(Arrays.singletonList("ADMIN"))) == true
>
> new GlobalPermission(Arrays.singletonList("FOO")).implies(new  
> GlobalPermision(Arrays.singletonList("BAR"))) == true
>
> and many other similar examples with WebLogPermission.  This seems  
> to me like asking for trouble.

Similarly, is the name really supposed to be ignored in both implies  
methods?

new WebLogPermission(wl1, Collections.singletonList("Admin")).implies 
(new WebLogPermission(wl2, Collections.singletonList("Admin"))) == true

similarly for GlobalPermission's user...

etc etc

thanks again
>
> thanks
> david jencks
>