portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "tingup" <tin...@gmail.com>
Subject Permission config bug in browser
Date Sat, 10 Jul 2010 14:19:03 GMT
I find some bug with permission editing.
org.apache.jetspeed.security.spi.impl.JetspeedSecurityPersistenceManager.java

1.    public void updatePermission(PersistentJetspeedPermission permission) throws SecurityException
    {
        Criteria criteria = new Criteria();
        if (permission.getId() == null)
        {
//if we do not have id property, and the type or name has been changed to an existed permissin.
the wrong row in db will be edit.
// db row1: page(type), name1(name), view,edit(action)
// db row2: page(type), name2(name), view,edit,help(action)
// I change row 1 which was showed in browser, change the name to "name2", action to "view",
click save.
// row2 will chaged to db row2: page(type), name2(name), view(action), and row1 not been changed.
//            criteria.addEqualTo("type", permission.getType());
//            criteria.addEqualTo("name", permission.getName());
             throw new SecurityException(SecurityException.PERMISSION_DOES_NOT_EXIST.create("update
failed, permission.id is null."));
        }
        else
        {
            criteria.addEqualTo("id", permission.getId());
        }
        Query query = QueryFactory.newQuery(PersistentJetspeedPermissionImpl.class, criteria);
        PersistentJetspeedPermission current = (PersistentJetspeedPermission)getPersistenceBrokerTemplate().getObjectByQuery(query);
        if (current == null)
        {
            throw new SecurityException(SecurityException.PERMISSION_DOES_NOT_EXIST.create(permission.getName()+"
"+permission.getActions()));
        }
        if (!current.getActions().equals(permission.getActions()))
        {
            current.setActions(permission.getActions());
            try
            {
                getPersistenceBrokerTemplate().store(current);
            }
            catch (Exception pbe)
            {
                KeyedMessage msg = SecurityException.UNEXPECTED.create("JetspeedSecurityPersistenceManager",
                                                                       "updatePermission",
                                                                       pbe.getMessage());
                logger.error(msg, pbe);
                throw new SecurityException(msg, pbe);
            }
        }
    }    

2 public List<JetspeedPrincipal> getPrincipals(PersistentJetspeedPermission permission,
String principalType) ,
    {
        Criteria criteria = new Criteria();
        if (permission.getId() != null)
        {
            criteria.addEqualTo("permissions.permissionId", permission.getId());
        }
        else
        {
            criteria.addEqualTo("permissions.permission.type", permission.getType());
            criteria.addEqualTo("permissions.permission.name", permission.getName());
// i add one more condition:
            criteria.addEqualTo("permissions.permission.actions", permission.getActions());
        }
        if (principalType != null)
        {
            criteria.addEqualTo("type", principalType);
        }
        criteria.addEqualTo("domainId", getDefaultSecurityDomainId());
        QueryByCriteria query = QueryFactory.newQuery(PersistentJetspeedPrincipal.class, criteria);
        query.addOrderByAscending("type");
        query.addOrderByAscending("name");
        return (List<JetspeedPrincipal>) getPersistenceBrokerTemplate().execute(new
ManagedListByQueryCallback(query));
    }
same to 
public void removePermission(PersistentJetspeedPermission permission) throws SecurityException
public void grantPermission(PersistentJetspeedPermission permission, JetspeedPrincipal principal)
throws SecurityException
public void grantPermissionOnlyTo (PersistentJetspeedPermission permission, String principalType,
List<JetspeedPrincipal> principals) throws SecurityException
public void revokePermission(PersistentJetspeedPermission permission, JetspeedPrincipal principal)
throws SecurityException 

one more bug, if i edit the permission condition, it will not effect the user who already
logined the system. 
that because org.apache.jetspeed.security.impl.PermissionManagerImpl used ThreadLocal<HashMap<Long,Permissions>>
permissionsCache .
I sugest to use JetspeedSecurityPersistenceManagerCache  implements org.apache.ojb.broker.cache.ObjectCache.
then we can clear the cache after permission config changed.

i have done the change, and don't know if it can be accepted.

org.apache.jetspeed.decoration.PageActionAccess has the same bug
    public void checkReset(boolean anonymous, ContentPage page) {
        // if (this.anonymous != anonymous)
        // {
        // this.anonymous = anonymous;
        // this.editAllowed = checkEditPage(page);
        // this.fragmentActionAccess.clear();
        // this.editing = false;
        // }
        // use this code instead, the permission config can been effect immediately 
        if (this.anonymous != anonymous) {
            this.anonymous = anonymous;
            this.editing = false;
        }
        this.editAllowed = checkEditPage(page);
        this.fragmentActionAccess.clear();
    }
2010-07-10 



tingup 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message