You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Maria Odea Ching (JIRA)" <ji...@codehaus.org> on 2007/01/25 12:51:44 UTC
[jira] Created: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: CONTINUUM-1147
URL: http://jira.codehaus.org/browse/CONTINUUM-1147
Project: Continuum
Issue Type: Bug
Components: Security
Reporter: Maria Odea Ching
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87581 ]
Maria Odea Ching commented on CONTINUUM-1147:
---------------------------------------------
Btw, I've commented out the tests in ReleasePrepareActionTest for now because there was a problem with the authorization checks (setting the variables in ContinuumActionSupport - e.g. SecuritySession, SecuritySystem) when the tests are run.
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch, CONTINUUM-1147-continuum.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Jesse McConnell (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87606 ]
Jesse McConnell commented on CONTINUUM-1147:
--------------------------------------------
1) you ought to be able to get the securitySystem object in the ContinuumActionSupport base class injected, just add the @plexus.requirement on there and make sure the plexus-maven-plugin is putting it in the component declaration
2) I see a lot of isAuthenticationRequired() calls in that base class, I think a lot of these can be moved to be covered by the actions by implementing SecureAction and setting it to require authentication, then its not required for those helper methods anymore
3) you might want to look into using the prepare() method on the base class to populate the securitySession as well, not sure if that would work in all actions though since some might not require the authentication at all :/
4) I would recommend just taking a look at these comments and if they make sense to factor them into what you have and then commit, make sure the web tests still work though...this will require a healthy amount of testing :) Nice job though
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch, CONTINUUM-1147-continuum.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Work stopped: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on CONTINUUM-1147 stopped by Maria Odea Ching.
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Maria Odea Ching
> Attachments: CONTINUUM-1147-continuum-webapp.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching updated CONTINUUM-1147:
----------------------------------------
Attachment: CONTINUUM-1147-continuum.patch
Attached patch with the previous comments already applied.
I also added the modify-project-notifier-continuum operation in the ProjectDeveloperDynamicRoleProfile, it seems to be missing.
Thanks! :)
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch, CONTINUUM-1147-continuum.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (CONTINUUM-1147) Even if a user doesn't show a group
in the group summary (because he doesn't have roles), he can access to the
project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching closed CONTINUUM-1147.
---------------------------------------
Resolution: Fixed
Committed the changes in continuum, fixed in -r509415
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch, CONTINUUM-1147-continuum.patch, CONTINUUM-1147.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Work started: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on CONTINUUM-1147 started by Maria Odea Ching.
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Maria Odea Ching
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Jesse McConnell (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87112 ]
Jesse McConnell commented on CONTINUUM-1147:
--------------------------------------------
1) these are all utility functions that can simply go into the ContinuumActionSupport class itself, no need to further subclass from there for these functions I don't think
2) the isAuthorized* methods on the simply return false on a lot of the exceptional conditions, I think they ought to just return a general exception wrapping these exception. And then we could have a general xwork result for these sorts of authorized behaviors that takes you to just one screen that can print out some useful error messages, 'You are unauthorized to access this context.', 'A exception occurred trying to determine if you can access this context.' etc.
3) not sure about all of the private methods on the actions that are simply wrapping up the getting of the project name from the projectId, I would probably just put a prepare() on the action and make sure the projectName is getting populated from the project id in the prepare, double check the xwork interceptor stack to make sure the params are scraped before prepare and that should be just fine, will save a lot of calls to the db to get the project name over and over.
4) I know when I went through these actions before that the methods themselves ought to be protected by different permissions, so I don't think the abstract isAuthorized from the abstract parent is worth having, just wrap up the various protections you have in the ContinuumActionSupport class and I think you'll be in great shape.
I think this approach will bear fruit on making this whole thing a lot more secure, we need to get a security mapping of operations to functionalities on the continuum wiki at some point and this is natural material for that, nice work
longer term I would like to see the action flow secured in a different manner but short of a full refactor of the actions to accommodate that, this is good
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching updated CONTINUUM-1147:
----------------------------------------
Attachment: CONTINUUM-1147-continuum-webapp.patch
Attached patch for this issue. Thanks!
An abstract class that performs authorization checks were created. The action classes implements an isAuthorized() method that invokes the approriate isAuthorized***() method for the action. When the permission is not authorized, the user will be redirected to the accessDenied page. If the action fails authentication, the user will be redirected to the login page.
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Maria Odea Ching
> Attachments: CONTINUUM-1147-continuum-webapp.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1147) Even if a user doesn't show a
group in the group summary (because he doesn't have roles), he can access
to the project group page and all other sub pages if he knows the url
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching updated CONTINUUM-1147:
----------------------------------------
Attachment: CONTINUUM-1147.patch
Attached patch file with the second revision applied.
I haven't finished fixing the continuum-webapp-tests for the changes I've made in continuum-webapp, will submit a separate patch file for this. Thanks! :)
> Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch, CONTINUUM-1147-continuum.patch, CONTINUUM-1147.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira