roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Johnson (JIRA)" <j...@apache.org>
Subject [jira] Assigned: (ROL-1717) ui security 4.1 dev (trunk) does not seem to work.
Date Fri, 06 Feb 2009 13:44:12 GMT

     [ https://issues.apache.org/roller/browse/ROL-1717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Johnson reassigned ROL-1717:
----------------------------------

    Assignee: David Johnson  (was: Roller Unassigned)

> ui security 4.1 dev (trunk) does not seem to work.
> --------------------------------------------------
>
>                 Key: ROL-1717
>                 URL: https://issues.apache.org/roller/browse/ROL-1717
>             Project: Roller
>          Issue Type: Bug
>    Affects Versions: 5.0
>         Environment: Fedora 8 MySql
>            Reporter: Greg Huber
>            Assignee: David Johnson
>
> To reproduce the error:
> Need two users testuser and testuser1.  Create entry on testuser1 
>  
>  Login as testuser navigate to entries:
>  
>  http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog=testuser
>  
>  then in the URL type testuser1:
>  
>  http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog= testuser1
>  
>  press enter
>  
> it will show all the entries,  edit one and save which is wrong.
> ####
> The code has changed alot from 4.0, so it looks like a refactor bug.
> It seems to be going wrong on the JPAUserManagerImpl checkPermission(..)  globalPerm.implies(perm).
> Debugging, the existingPerm is null which is correct, as test1 has no authority to test:
> existingPerm = getWeblogPermission(permToCheck.getWeblog(), user);
> But it then returns true on the globalPerm:
>         if (globalPerm.implies(perm)) return true;
> The global perms are:
> GlobalPermission:  login  comment  weblog
> but from the implies how does this relate to the test weblog?  It builds the roles from
test1.
>     public boolean implies(Permission perm) {
>         if (perm instanceof RollerPermission) {
>             RollerPermission rperm = (RollerPermission)perm;
>             
>             if (hasAction(ADMIN)) {
>                 // admin implies all other permissions
>                 return true;
>                 
>             } else if (hasAction(WEBLOG)) {
>                 // Best we've got is WEBLOG, so make sure perm doesn't specify ADMIN
>                 for (String action : rperm.getActionsAsList()) {
>                     if (action.equals(ADMIN)) return false;
>                 }
>                 
>             } else if (hasAction(LOGIN)) {
>                 // Best we've got is LOGIN, so make sure perm doesn't specify anything
else
>                 for (String action : rperm.getActionsAsList()) {
>                     if (action.equals(WEBLOG)) return false;
>                     if (action.equals(ADMIN)) return false;
>                 }
>             }
>             return true;
>         }
>         return false;
>     }
> Maybe I am missing something?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message