Return-Path: Delivered-To: apmail-roller-commits-archive@www.apache.org Received: (qmail 49683 invoked from network); 6 Feb 2009 13:44:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Feb 2009 13:44:41 -0000 Received: (qmail 43891 invoked by uid 500); 6 Feb 2009 13:44:41 -0000 Delivered-To: apmail-roller-commits-archive@roller.apache.org Received: (qmail 43864 invoked by uid 500); 6 Feb 2009 13:44:40 -0000 Mailing-List: contact commits-help@roller.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@roller.apache.org Delivered-To: mailing list commits@roller.apache.org Received: (qmail 43848 invoked by uid 99); 6 Feb 2009 13:44:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Feb 2009 05:44:40 -0800 X-ASF-Spam-Status: No, hits=-1999.1 required=10.0 tests=ALL_TRUSTED,NORMAL_HTTP_TO_IP,URIBL_RHS_DOB X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Feb 2009 13:44:33 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id ABF55234C4B0 for ; Fri, 6 Feb 2009 05:44:12 -0800 (PST) Message-ID: <2043519261.1233927852703.JavaMail.jira@brutus> Date: Fri, 6 Feb 2009 05:44:12 -0800 (PST) From: "David Johnson (JIRA)" To: commits@roller.apache.org Subject: [jira] Assigned: (ROL-1717) ui security 4.1 dev (trunk) does not seem to work. In-Reply-To: <1960202120.1210671539047.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/roller/browse/ROL-1717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Johnson reassigned ROL-1717: ---------------------------------- Assignee: David Johnson (was: Roller Unassigned) > ui security 4.1 dev (trunk) does not seem to work. > -------------------------------------------------- > > Key: ROL-1717 > URL: https://issues.apache.org/roller/browse/ROL-1717 > Project: Roller > Issue Type: Bug > Affects Versions: 5.0 > Environment: Fedora 8 MySql > Reporter: Greg Huber > Assignee: David Johnson > > To reproduce the error: > Need two users testuser and testuser1. Create entry on testuser1 > > Login as testuser navigate to entries: > > http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog=testuser > > then in the URL type testuser1: > > http://127.0.0.1:8080/roller41/roller-ui/authoring/entries.rol?weblog= testuser1 > > press enter > > it will show all the entries, edit one and save which is wrong. > #### > The code has changed alot from 4.0, so it looks like a refactor bug. > It seems to be going wrong on the JPAUserManagerImpl checkPermission(..) globalPerm.implies(perm). > Debugging, the existingPerm is null which is correct, as test1 has no authority to test: > existingPerm = getWeblogPermission(permToCheck.getWeblog(), user); > But it then returns true on the globalPerm: > if (globalPerm.implies(perm)) return true; > The global perms are: > GlobalPermission: login comment weblog > but from the implies how does this relate to the test weblog? It builds the roles from test1. > public boolean implies(Permission perm) { > if (perm instanceof RollerPermission) { > RollerPermission rperm = (RollerPermission)perm; > > if (hasAction(ADMIN)) { > // admin implies all other permissions > return true; > > } else if (hasAction(WEBLOG)) { > // Best we've got is WEBLOG, so make sure perm doesn't specify ADMIN > for (String action : rperm.getActionsAsList()) { > if (action.equals(ADMIN)) return false; > } > > } else if (hasAction(LOGIN)) { > // Best we've got is LOGIN, so make sure perm doesn't specify anything else > for (String action : rperm.getActionsAsList()) { > if (action.equals(WEBLOG)) return false; > if (action.equals(ADMIN)) return false; > } > } > return true; > } > return false; > } > Maybe I am missing something? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.