You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by ta...@apache.org on 2008/10/27 20:06:02 UTC
svn commit: r708276 - in /portals/jetspeed-2/portal/branches:
JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/
JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspe...
Author: taylor
Date: Mon Oct 27 12:05:40 2008
New Revision: 708276
URL: http://svn.apache.org/viewvc?rev=708276&view=rev
Log:
https://issues.apache.org/jira/browse/JS2-903
When writing out fragments where the user has write access to the page, but does not have write access to specific fragments, the fragments are stripped
This fix allows still secures users to only writing to pages where they have access. However, if a fragment is not accessible, its skipped over
NOTE: the DB Page Manager had different behavior on this issue, and required no changes
Modified:
portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java?rev=708276&r1=708275&r2=708276&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java Mon Oct 27 12:05:40 2008
@@ -32,6 +32,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.jetspeed.JetspeedActions;
import org.apache.jetspeed.cache.file.FileCache;
import org.apache.jetspeed.cache.file.FileCacheEntry;
import org.apache.jetspeed.cache.file.FileCacheEventListener;
@@ -195,27 +196,41 @@
}
AbstractBaseElement documentImpl = (AbstractBaseElement)document;
documentImpl.setHandlerFactory(handlerFactory);
- if (systemUpdate){
- // on system update: temporarily turn off security
- documentImpl.setPermissionsEnabled(false);
- documentImpl.setConstraintsEnabled(false);
- } else {
- documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
- documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
- }
- documentImpl.marshalling();
-
- // marshal page to disk
- String fileName = path;
- if (!fileName.endsWith(this.documentType))
- {
- fileName = path + this.documentType;
- }
- File f = new File(this.documentRootDir, fileName);
- Writer writer = null;
-
+ String absolutePath = "";
+ Writer writer = null;
try
{
+ // JS2-903: move try up to ensure no backdoors to disabling security
+ if (systemUpdate)
+ {
+ // on system update: temporarily turn off security
+ documentImpl.setPermissionsEnabled(false);
+ documentImpl.setConstraintsEnabled(false);
+ }
+ else
+ {
+ try
+ {
+ // JS2-903: fragments are getting stripped out on write if the current user does not have edit access to write to the file
+ document.checkAccess(JetspeedActions.EDIT);
+ }
+ catch (SecurityException se)
+ {
+ throw new FailedToUpdateDocumentException("Insufficient Access: no edit access, cannot write.");
+ }
+ documentImpl.setPermissionsEnabled(false);
+ documentImpl.setConstraintsEnabled(false);
+ }
+ documentImpl.marshalling();
+
+ // marshal page to disk
+ String fileName = path;
+ if (!fileName.endsWith(this.documentType))
+ {
+ fileName = path + this.documentType;
+ }
+ File f = new File(this.documentRootDir, fileName);
+ absolutePath = f.getAbsolutePath();
// marshal: use SAX II handler to filter document XML for
// page and folder menu definition menu elements ordered
// polymorphic collection to strip artifical <menu-element>
@@ -303,34 +318,33 @@
}
catch (MarshalException e)
{
- log.error("Could not marshal the file " + f.getAbsolutePath(), e);
+ log.error("Could not marshal the file " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
catch (ValidationException e)
{
- log.error("Document " + f.getAbsolutePath() + " is not valid", e);
+ log.error("Document " + absolutePath + " is not valid", e);
throw new FailedToUpdateDocumentException(e);
}
catch (IOException e)
{
- log.error("Could not save the file " + f.getAbsolutePath(), e);
+ log.error("Could not save the file " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
catch (Exception e)
{
- log.error("Error while saving " + f.getAbsolutePath(), e);
+ log.error("Error while saving " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
finally
{
- if (systemUpdate){
- // restore permissions / constraints
- documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
- documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
- }
+ // restore permissions / constraints
+ documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
+ documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
try
{
- writer.close();
+ if (writer != null)
+ writer.close();
}
catch (IOException e)
{
Modified: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java?rev=708276&r1=708275&r2=708276&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java (original)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java Mon Oct 27 12:05:40 2008
@@ -32,6 +32,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.jetspeed.JetspeedActions;
import org.apache.jetspeed.cache.file.FileCache;
import org.apache.jetspeed.cache.file.FileCacheEntry;
import org.apache.jetspeed.cache.file.FileCacheEventListener;
@@ -194,27 +195,40 @@
}
AbstractBaseElement documentImpl = (AbstractBaseElement)document;
documentImpl.setHandlerFactory(handlerFactory);
- if (systemUpdate){
- // on system update: temporarily turn off security
- documentImpl.setPermissionsEnabled(false);
- documentImpl.setConstraintsEnabled(false);
- } else {
- documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
- documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
- }
- documentImpl.marshalling();
-
- // marshal page to disk
- String fileName = path;
- if (!fileName.endsWith(this.documentType))
- {
- fileName = path + this.documentType;
- }
- File f = new File(this.documentRootDir, fileName);
- Writer writer = null;
-
+ String absolutePath = "";
+ Writer writer = null;
try
{
+ // JS2-903: move try up to ensure no backdoors to disabling security
+ if (systemUpdate)
+ {
+ // on system update: temporarily turn off security
+ documentImpl.setPermissionsEnabled(false);
+ documentImpl.setConstraintsEnabled(false);
+ }
+ else
+ {
+ try
+ {
+ // JS2-903: fragments are getting stripped out on write if the current user does not have edit access to write to the file
+ document.checkAccess(JetspeedActions.EDIT);
+ }
+ catch (SecurityException se)
+ {
+ throw new FailedToUpdateDocumentException("Insufficient Access: no edit access, cannot write.");
+ }
+ documentImpl.setPermissionsEnabled(false);
+ documentImpl.setConstraintsEnabled(false);
+ }
+ documentImpl.marshalling();
+ // marshal page to disk
+ String fileName = path;
+ if (!fileName.endsWith(this.documentType))
+ {
+ fileName = path + this.documentType;
+ }
+ File f = new File(this.documentRootDir, fileName);
+ absolutePath = f.getAbsolutePath();
// marshal: use SAX II handler to filter document XML for
// page and folder menu definition menu elements ordered
// polymorphic collection to strip artifical <menu-element>
@@ -302,34 +316,33 @@
}
catch (MarshalException e)
{
- log.error("Could not marshal the file " + f.getAbsolutePath(), e);
+ log.error("Could not marshal the file " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
catch (ValidationException e)
{
- log.error("Document " + f.getAbsolutePath() + " is not valid", e);
+ log.error("Document " + absolutePath + " is not valid", e);
throw new FailedToUpdateDocumentException(e);
}
catch (IOException e)
{
- log.error("Could not save the file " + f.getAbsolutePath(), e);
+ log.error("Could not save the file " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
catch (Exception e)
{
- log.error("Error while saving " + f.getAbsolutePath(), e);
+ log.error("Error while saving " + absolutePath, e);
throw new FailedToUpdateDocumentException(e);
}
finally
{
- if (systemUpdate){
- // restore permissions / constraints
- documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
- documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
- }
+ // restore permissions / constraints
+ documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
+ documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
try
{
- writer.close();
+ if (writer != null)
+ writer.close();
}
catch (IOException e)
{
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org