You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rave.apache.org by Chris Geer <ch...@cxtsoftware.com> on 2012/08/31 09:19:35 UTC

Permissions

All, in reviewing the permissions of some objects I have a concern about
how create_or_update is being used. For example, in WidgetCommentService
the save method looks like this:

    @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
    void saveWidgetComment(WidgetComment widgetComment);

When looking at the permission evaluator it has this logic

            case CREATE:
            case CREATE_OR_UPDATE:
                hasPermission = isWidgetCommentOwnerById(authentication,
widgetComment.getUser().getId());
                break;
            case DELETE:
            case UPDATE:
                // anyone can create, delete, read, or update a page that
they own
                hasPermission = isWidgetCommentOwner(authentication,
widgetComment, trustedWidgetCommentContainer, trustedDomainObject);
                break;

So, CREATE and CREATE_OR_UPDATE have the same permission check (to see if
the userID of the user and the object passed in match). This is very
different than the update method which actually retrieves the DB version of
the object and checks the user ID on that against the logged in user.

I think the UI is properly protecting the resource in question but the WS
doesn't seem to be. Also, ironically, the update method doesn't actually
check to see if the userID from the DB matches the userID of the passed in
object. Maybe that is caught later.

Let me know if I'm missing something since I didn't write this original
code. If this is really a problem this isn't the only place. For example
see [1]

Chris


[1] https://issues.apache.org/jira/browse/RAVE-781

RE: Permissions

Posted by "Franklin, Matthew B." <mf...@mitre.org>.

>-----Original Message-----
>From: Chris Geer [mailto:chris@cxtsoftware.com]
>Sent: Friday, August 31, 2012 3:20 AM
>To: dev
>Subject: Permissions
>
>All, in reviewing the permissions of some objects I have a concern about
>how create_or_update is being used. For example, in
>WidgetCommentService
>the save method looks like this:
>
>    @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
>    void saveWidgetComment(WidgetComment widgetComment);
>
>When looking at the permission evaluator it has this logic
>
>            case CREATE:
>            case CREATE_OR_UPDATE:
>                hasPermission = isWidgetCommentOwnerById(authentication,
>widgetComment.getUser().getId());
>                break;
>            case DELETE:
>            case UPDATE:
>                // anyone can create, delete, read, or update a page that
>they own
>                hasPermission = isWidgetCommentOwner(authentication,
>widgetComment, trustedWidgetCommentContainer, trustedDomainObject);
>                break;
>
>So, CREATE and CREATE_OR_UPDATE have the same permission check (to see
>if
>the userID of the user and the object passed in match). This is very
>different than the update method which actually retrieves the DB version of
>the object and checks the user ID on that against the logged in user.

IMO, CREATE_OR_UPDATE does not make sense in this context.  The above check seems to make sense for a CREATE permission only.

>
>I think the UI is properly protecting the resource in question but the WS
>doesn't seem to be. Also, ironically, the update method doesn't actually
>check to see if the userID from the DB matches the userID of the passed in
>object. Maybe that is caught later.
>
>Let me know if I'm missing something since I didn't write this original
>code. If this is really a problem this isn't the only place. For example
>see [1]
>
>Chris
>
>
>[1] https://issues.apache.org/jira/browse/RAVE-781