List Info

Thread: DO NOT REPLY - tab.acAuthoring throws exception and corrupts ac data
DO NOT REPLY - tab.acAuthoring throws exception and corrupts ac data
user name
 2006-09-28 10:07:10 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40
609>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40609





------- Additional Comments From thorstenapache.org  2006-09-28 10:07 -------
http://svn.apache.org/viewvc/lenya/trun
k/src/modules-core/ac-impl/java/src/org/apache/lenya/ac/impl
/PolicyAuthorizer.java?view=markup
 protected boolean authorizePolicy(
        Identity identity,
        Request request,
        String webappUrl)
...
Credential[] credentials = policy.getCredentials(identity);
        for (int i = 0; i < credentials.length; i++) {
			Credential credential = credentials[i];
			for (int j = 0; j < roles.length; j++) {
                            Role role = roles[j];
                            if (credential.contains(role)){
                                    String
method=credential.getMethod();
                                    if
(method.equals(CredentialImpl.GRANT)){
                                        authorized=true;
                                    }
                                    out=true;
                                    break;
                                }
			}
                        if(out)
                            break;
		}
        saveRoles(request, roles);
        return authorized;
...

Write now we follow with above code 
http://lenya.apache.org/docs/1_4/reference/ac.html#Con
cept
"When a credential is found which assigns the role r to
the accreditable a,
return the method of the credential."

The problem is that the request right now *does not* attach
the requested role
(but all possible roles for the user) to the request.
Meaning the above looks
into role[] and test each role. If we find a deny then we
return false. 

What this bug report means is to extend this method to test
each role[] and if
it is denyied then remove the role[it] from the array. If we
traversed all roles
and roles.length == 0 then we return false otherwise true
(authorised with a
role that did not got denied).


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )