You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rave.apache.org by "Jasha Joachimsthal (Created) (JIRA)" <ji...@apache.org> on 2011/10/10 21:28:29 UTC
[jira] [Created] (RAVE-298) Page manipulations are unchecked
Page manipulations are unchecked
--------------------------------
Key: RAVE-298
URL: https://issues.apache.org/jira/browse/RAVE-298
Project: Rave
Issue Type: Bug
Affects Versions: 0.4-INCUBATING
Reporter: Jasha Joachimsthal
Priority: Critical
Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (RAVE-298) Page manipulations are unchecked
Posted by "Anthony Carlucci (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anthony Carlucci reassigned RAVE-298:
-------------------------------------
Assignee: Anthony Carlucci
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (RAVE-298) Page manipulations are unchecked
Posted by "Jasha Joachimsthal (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13132486#comment-13132486 ]
Jasha Joachimsthal commented on RAVE-298:
-----------------------------------------
Thanks for the documentation. Can you find some time to add examples to the documentation (e.g. User needs access to own Page, admin needs acces to other User's Page)?
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (RAVE-298) Page manipulations are unchecked
Posted by "Anthony Carlucci (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13129107#comment-13129107 ]
Anthony Carlucci commented on RAVE-298:
---------------------------------------
More updates:
- created common AbstractRestApi class
- updated the DefaultPagePermissionEvaluator to handle permission checks when the object to be checked differs from the returned Object
- secured remaining PageService methods that deal with Page objects, except addNewDefaultPage (see RAVE-303)
Still TODO:
1) Documentation!
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (RAVE-298) Page manipulations are unchecked
Posted by "Anthony Carlucci (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13127854#comment-13127854 ]
Anthony Carlucci commented on RAVE-298:
---------------------------------------
Code checked in:
- implemented DefaultPagePermissionEvaluator
- protected one PageService method: getPage
- added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi
- fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent duplicate bean creation
Still TODO:
1) finish securing the rest of the PageService methods with permission annotations
2) refactor the handleAccessDeniedException up into an AbstractRestApi class since it is common functionality that all RestApi controllers will want
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (RAVE-298) Page manipulations are unchecked
Posted by "Jasha Joachimsthal (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasha Joachimsthal updated RAVE-298:
------------------------------------
Fix Version/s: 0.5-INCUBATING
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (RAVE-298) Page manipulations are unchecked
Posted by "Anthony Carlucci (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anthony Carlucci resolved RAVE-298.
-----------------------------------
Resolution: Fixed
Documentation has been published on how to implement model permission security for the rest of our models and services: http://incubator.apache.org/rave/documentation/index.html
I will be closing this ticket and creating a separate set of issues to finish implementing ModelPermissionEvaluator classes for the rest of our models and annotating our service interfaces.
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira