List Info

Thread: Created: (JBPORTAL-1465) move and copy commands jump the permissions
Created: (JBPORTAL-1465) move and copy commands jump the permissions
country flaguser name
United States		 2007-05-26 06:45:08 
move and copy commands jump the permissions
-------------------------------------------

                 Key: JBPORTAL-1465
                 URL: http:
//jira.jboss.com/jira/browse/JBPORTAL-1465
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal CMS
    Affects Versions: 2.6.Beta1
         Environment: eclipse , jboss as 4.0.5-cp4 and jboss
portal taken from http://an
onsvn.jboss.org/repos/portal/trunk
            Reporter: Luca Stancapiano
         Assigned To: Sohil Shah
             Fix For: 2.6 Final


When I log with an administrator different by
"admin", I go into cms pannel of portal and I try
to copy or move a file from a allowed space to a denied
space, I have the error message that advise me that I
haven't privileges to take that operation. But if I logout
and then I enter again, I go into cms pannel and I see that
my operation is succesfully done because the file is moved
or copied anyway. Of course then I cannot to remove it
because I've not permission in that zone. You can to test
that operation moving default/support.html into / that ,in
default, is allowed only to "admin" user. I've
seen into the code that the permission access for copy and
move operations is only for "from" path and there
is no control for the "to" path Seeing method
"hasManageAccess"  into
org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class
there is:

        else if(command instanceof MoveCommand)
        {
            path = ((MoveCommand)command).msFromPath;
        }      

and the same thing for copy command.
I modified this part in this mode:

    	else if(command instanceof MoveCommand)
    	{
         
    	    path = ((MoveCommand)command).msFromPath;
    	    hasManageAccess =
this.computeAccess(user,path,"manage");

    	    if (hasManageAccess) 
    	    {
    	        path = ((MoveCommand)command).msToPath;
    	        hasManageAccess =
this.computeAccess(user,path,"manage");
    	    }

    	}

adding permission control for "to" path. It seems
ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira
Updated: (JBPORTAL-1465) move and copy commands jump the permissions
country flaguser name
United States		 2007-05-26 06:47:08 
     [ http://jira.jboss.com/jira/browse/JBPORTAL-1465?page=all
 ]

Luca Stancapiano updated JBPORTAL-1465:
---------------------------------------

    Attachment: ACLEnforcer.java

I send you the entire ACLEnforcer with patched copy and move
controls

> move and copy commands jump the permissions
> -------------------------------------------
>
>                 Key: JBPORTAL-1465
>                 URL: http:
//jira.jboss.com/jira/browse/JBPORTAL-1465
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.Beta1
>         Environment: eclipse , jboss as 4.0.5-cp4 and
jboss portal taken from http://an
onsvn.jboss.org/repos/portal/trunk
>            Reporter: Luca Stancapiano
>         Assigned To: Sohil Shah
>             Fix For: 2.6 Final
>
>         Attachments: ACLEnforcer.java
>
>
> When I log with an administrator different by
"admin", I go into cms pannel of portal and I try
to copy or move a file from a allowed space to a denied
space, I have the error message that advise me that I
haven't privileges to take that operation. But if I logout
and then I enter again, I go into cms pannel and I see that
my operation is succesfully done because the file is moved
or copied anyway. Of course then I cannot to remove it
because I've not permission in that zone. You can to test
that operation moving default/support.html into / that ,in
default, is allowed only to "admin" user. I've
seen into the code that the permission access for copy and
move operations is only for "from" path and there
is no control for the "to" path Seeing method
"hasManageAccess"  into
org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class
there is:
>         else if(command instanceof MoveCommand)
>         {
>             path = ((MoveCommand)command).msFromPath;
>         }      
> and the same thing for copy command.
> I modified this part in this mode:
>     	else if(command instanceof MoveCommand)
>     	{
>          
>     	    path = ((MoveCommand)command).msFromPath;
>     	    hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    if (hasManageAccess) 
>     	    {
>     	        path = ((MoveCommand)command).msToPath;
>     	        hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    }
>     	}
> adding permission control for "to" path. It
seems ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira
Commented: (JBPORTAL-1465) move and copy commands jump the permissions
country flaguser name
United States		 2007-05-30 16:34:08 
    [ http://jira.jboss.com/jira/browse/J
BPORTAL-1465?page=comments#action_12363630 ] 
            
Sohil Shah commented on JBPORTAL-1465:
--------------------------------------

Good catch. I have incorporated the patch into the trunk

Thanks


> move and copy commands jump the permissions
> -------------------------------------------
>
>                 Key: JBPORTAL-1465
>                 URL: http:
//jira.jboss.com/jira/browse/JBPORTAL-1465
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.Beta1
>         Environment: eclipse , jboss as 4.0.5-cp4 and
jboss portal taken from http://an
onsvn.jboss.org/repos/portal/trunk
>            Reporter: Luca Stancapiano
>         Assigned To: Sohil Shah
>             Fix For: 2.6 Final
>
>         Attachments: ACLEnforcer.java
>
>
> When I log with an administrator different by
"admin", I go into cms pannel of portal and I try
to copy or move a file from a allowed space to a denied
space, I have the error message that advise me that I
haven't privileges to take that operation. But if I logout
and then I enter again, I go into cms pannel and I see that
my operation is succesfully done because the file is moved
or copied anyway. Of course then I cannot to remove it
because I've not permission in that zone. You can to test
that operation moving default/support.html into / that ,in
default, is allowed only to "admin" user. I've
seen into the code that the permission access for copy and
move operations is only for "from" path and there
is no control for the "to" path Seeing method
"hasManageAccess"  into
org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class
there is:
>         else if(command instanceof MoveCommand)
>         {
>             path = ((MoveCommand)command).msFromPath;
>         }      
> and the same thing for copy command.
> I modified this part in this mode:
>     	else if(command instanceof MoveCommand)
>     	{
>          
>     	    path = ((MoveCommand)command).msFromPath;
>     	    hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    if (hasManageAccess) 
>     	    {
>     	        path = ((MoveCommand)command).msToPath;
>     	        hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    }
>     	}
> adding permission control for "to" path. It
seems ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira
Resolved: (JBPORTAL-1465) move and copy commands jump the permissions
country flaguser name
United States		 2007-05-30 16:34:08 
     [ http://jira.jboss.com/jira/browse/JBPORTAL-1465?page=all
 ]

Sohil Shah resolved JBPORTAL-1465.
----------------------------------

    Resolution: Done

> move and copy commands jump the permissions
> -------------------------------------------
>
>                 Key: JBPORTAL-1465
>                 URL: http:
//jira.jboss.com/jira/browse/JBPORTAL-1465
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.Beta1
>         Environment: eclipse , jboss as 4.0.5-cp4 and
jboss portal taken from http://an
onsvn.jboss.org/repos/portal/trunk
>            Reporter: Luca Stancapiano
>         Assigned To: Sohil Shah
>             Fix For: 2.6 Final
>
>         Attachments: ACLEnforcer.java
>
>
> When I log with an administrator different by
"admin", I go into cms pannel of portal and I try
to copy or move a file from a allowed space to a denied
space, I have the error message that advise me that I
haven't privileges to take that operation. But if I logout
and then I enter again, I go into cms pannel and I see that
my operation is succesfully done because the file is moved
or copied anyway. Of course then I cannot to remove it
because I've not permission in that zone. You can to test
that operation moving default/support.html into / that ,in
default, is allowed only to "admin" user. I've
seen into the code that the permission access for copy and
move operations is only for "from" path and there
is no control for the "to" path Seeing method
"hasManageAccess"  into
org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class
there is:
>         else if(command instanceof MoveCommand)
>         {
>             path = ((MoveCommand)command).msFromPath;
>         }      
> and the same thing for copy command.
> I modified this part in this mode:
>     	else if(command instanceof MoveCommand)
>     	{
>          
>     	    path = ((MoveCommand)command).msFromPath;
>     	    hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    if (hasManageAccess) 
>     	    {
>     	        path = ((MoveCommand)command).msToPath;
>     	        hasManageAccess =
this.computeAccess(user,path,"manage");
>     	    }
>     	}
> adding permission control for "to" path. It
seems ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )