syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (JIRA) <j...@apache.org>
Subject [jira] [Updated] (SYNCOPE-707) ConfigurationLogin doesn't check the existence of key during deletion.
Date Tue, 13 Oct 2015 13:00:07 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Francesco Chicchiriccò updated SYNCOPE-707:
-------------------------------------------
    Description: 
When I try to delete a configuration I get always a valid response also when the configuration
key doesn't exist (while I was expecting a NotFound error).
Reading the code I found below difference from (1) ConfigurationLogic and, for instance, (2)
SchemaLogic classes:

(1)
@PreAuthorize("hasRole('" + Entitlement.CONFIGURATION_DELETE + "')")
    public void delete(final String schema) {
        confDAO.delete(schema);
    }

(2)
@PreAuthorize("hasRole('" + Entitlement.SCHEMA_DELETE + "')")
    public void delete(final SchemaType schemaType, final String schemaName) {
        if (!doesSchemaExist(schemaType, schemaName)) {
            throw new NotFoundException(schemaType + "/" + schemaName);
        }

        switch (schemaType) {
            case VIRTUAL:
                virSchemaDAO.delete(schemaName);
                break;

            case DERIVED:
                derSchemaDAO.delete(schemaName);
                break;

            case PLAIN:
            default:
                plainSchemaDAO.delete(schemaName);
        }
    }

As you can read the second class has a control on schema existence, the first one hasn't.


We have to add the same check on the ConfigurationLogic class.

Relevant mail thread: http://markmail.org/message/3ufidttokvw2km5k

  was:
When I try to delete a configuration I get always a valid response also when the configuration
key doesn't exist (while I was expecting a NotFound error).
Reading the code I found below difference from (1) ConfigurationLogic and, for instance, (2)
SchemaLogic classes:

(1)
@PreAuthorize("hasRole('" + Entitlement.CONFIGURATION_DELETE + "')")
    public void delete(final String schema) {
        confDAO.delete(schema);
    }

(2)
@PreAuthorize("hasRole('" + Entitlement.SCHEMA_DELETE + "')")
    public void delete(final SchemaType schemaType, final String schemaName) {
        if (!doesSchemaExist(schemaType, schemaName)) {
            throw new NotFoundException(schemaType + "/" + schemaName);
        }

        switch (schemaType) {
            case VIRTUAL:
                virSchemaDAO.delete(schemaName);
                break;

            case DERIVED:
                derSchemaDAO.delete(schemaName);
                break;

            case PLAIN:
            default:
                plainSchemaDAO.delete(schemaName);
        }
    }

As you can read the second class has a control on schema existence, the first one hasn't.


We have to add the same check on the ConfigurationLogic class.


> ConfigurationLogin doesn't check the existence of key during deletion.
> ----------------------------------------------------------------------
>
>                 Key: SYNCOPE-707
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-707
>             Project: Syncope
>          Issue Type: Bug
>    Affects Versions: 1.2.5, 2.0.0
>            Reporter: Massimiliano Perrone
>            Assignee: Massimiliano Perrone
>            Priority: Minor
>             Fix For: 1.2.6, 2.0.0
>
>
> When I try to delete a configuration I get always a valid response also when the configuration
key doesn't exist (while I was expecting a NotFound error).
> Reading the code I found below difference from (1) ConfigurationLogic and, for instance,
(2) SchemaLogic classes:
> (1)
> @PreAuthorize("hasRole('" + Entitlement.CONFIGURATION_DELETE + "')")
>     public void delete(final String schema) {
>         confDAO.delete(schema);
>     }
> (2)
> @PreAuthorize("hasRole('" + Entitlement.SCHEMA_DELETE + "')")
>     public void delete(final SchemaType schemaType, final String schemaName) {
>         if (!doesSchemaExist(schemaType, schemaName)) {
>             throw new NotFoundException(schemaType + "/" + schemaName);
>         }
>         switch (schemaType) {
>             case VIRTUAL:
>                 virSchemaDAO.delete(schemaName);
>                 break;
>             case DERIVED:
>                 derSchemaDAO.delete(schemaName);
>                 break;
>             case PLAIN:
>             default:
>                 plainSchemaDAO.delete(schemaName);
>         }
>     }
> As you can read the second class has a control on schema existence, the first one hasn't.

> We have to add the same check on the ConfigurationLogic class.
> Relevant mail thread: http://markmail.org/message/3ufidttokvw2km5k



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message