Weceem

Permissions checking can fail for multirole users

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 0.9
  • Fix Version/s: 1.0-M2
  • Component/s: None
  • Labels:
    None
  • Request Controller:
    Please Select
  • External Supervisor:
    Please select
  • Executing Programmer:
    Please select

Description

The permission checking implemented by the hasPermission method of o.w.s.WeceemSecurityPolicy stops the role iteration as soon as it finds a role without the required permissions. However a user may have several roles and we can't assume a known order in the list of given roles, so I think the list of roles should be traversed until a role with permissions is found or its end is reached.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Rafael added a comment - 07/May/10 9:46 AM


I thin this patch should fix the issue.

Show
Rafael added a comment - 07/May/10 9:46 AM I thin this patch should fix the issue.
Hide
Permalink
Rafael added a comment - 07/May/10 9:47 AM

The previous patch is based on the 58895 revision.

Show
Rafael added a comment - 07/May/10 9:47 AM The previous patch is based on the 58895 revision.
Hide
Permalink
Marc Palmer added a comment - 08/Feb/11 12:06 PM

Didn't see this unversioned issue

Show
Marc Palmer added a comment - 08/Feb/11 12:06 PM Didn't see this unversioned issue
Hide
Permalink
Marc Palmer added a comment - 08/Feb/11 1:06 PM

Checked and applied

Show
Marc Palmer added a comment - 08/Feb/11 1:06 PM Checked and applied
Hide
Permalink
Marc Palmer added a comment - 08/Feb/11 1:15 PM

This actually contained a bug. The correct code should still test for null explicitGrant, but explicitMatch should be set to explicitGrant and return explicitGrant.

The patch, as supplied, does not work correctly where a policy has an explicit DENY.

Show
Marc Palmer added a comment - 08/Feb/11 1:15 PM This actually contained a bug. The correct code should still test for null explicitGrant, but explicitMatch should be set to explicitGrant and return explicitGrant. The patch, as supplied, does not work correctly where a policy has an explicit DENY.

People

Vote (0)
Watch (0)

Dates

  • Created:
    07/May/10 9:42 AM
    Updated:
    08/Feb/11 1:15 PM
    Resolved:
    08/Feb/11 1:06 PM
Atlassian JIRA (v4.2#587) | Report a problem
Powered by a free Atlassian JIRA open source license for Grailsflow. Try JIRA - bug tracking software for your team.