You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Vivek Kumar (JIRA)" <je...@portals.apache.org> on 2009/05/04 17:13:30 UTC
[jira] Reopened: (JS2-900) SiteView should throw SecurityException
when a Node is not accessible instead of NodeNotFoundException
[ https://issues.apache.org/jira/browse/JS2-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vivek Kumar reopened JS2-900:
-----------------------------
I have reverted back my code.
Still working on this.
> SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException
> ------------------------------------------------------------------------------------------------------
>
> Key: JS2-900
> URL: https://issues.apache.org/jira/browse/JS2-900
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Profiling/Portal Navigation
> Affects Versions: 2.1.3
> Reporter: Ate Douma
> Assignee: Vivek Kumar
> Priority: Critical
> Fix For: 2.2.0
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path (element).
> FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for which the current user doesn't have access.
> But this means there is no distinction possible between a not-existing page access and not-allowed page access (e.g. 404 or 403).
> The ProfilerValveImpl (invoking these) already can handle a thrown SecurityException and send a SC_FORBIDDEN error (if configured to do so).
> So, the intended behavior already is to support this.
> We just need to fix SiteView.getNodeProxy a little like calling currentFolder.getAllNodes() and perform a security check itself *if* the path was resolved.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org