[MAGNOLIA-4061] ACL: longest rule does not win Created: 21/Dec/11  Updated: 28/Mar/12  Resolved: 28/Mar/12

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: 4.5.2

Type: Bug Priority: Critical
Reporter: Samuel Schmitt Assignee: Jan Haderka
Resolution: Obsolete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File URL.png     PNG File Website.png    
Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

From the original security config I add these changes:
--> role anonymous
----> website, R/W:/demo-project/members-area
----> URL, Get & Post: /*

With this config, I should be able to open the page /demo-project/members-area.html, but it's not the case. I'm redirected to the login form.

If in Website, I add R/W to /, then I'm able to open the page.

It seems like the longest rule does not win.



 Comments   
Comment by Espen Jervidalo [ 13/Mar/12 ]

While trying to reproduce this issue my log got flooded with following messages:

2012-03-13 15:22:34,346 WARN ia.module.admininterface.dialogs.ACLSDialogControl: A deprecated class or method was used: Use IoC!. Check the following trace: info.magnolia.module.admininterface.AdminInterfaceModule.getInstance(AdminInterfaceModule.java:103), info.magnolia.module.admininterface.dialogs.ACLSDialogControl.<init>(ACLSDialogControl.java:76), the full stracktrace will be logged in debug mode in the info.magnolia.cms.util.DeprecationUtil category.

and

2012-03-13 15:45:07,928 ERROR info.magnolia.module.cache.filter.CacheFilter : A request started to cache but failed with an exception (AccessDeniedException: cannot read item 1be12547-ad82-4c83-8396-213466ceb003). [url=http://localhost:8080/magnoliaPublic/demo-project/members-area.html], [key=DefaultCacheKey{uri='/demo-project/members-area.html', serverName='localhost', locale='en', channel='desktop', params={}', secure='false'}]
2012-03-13 15:45:47,776 ERROR info.magnolia.rendering.engine.RenderingFilter : javax.jcr.AccessDeniedException: cannot read item 1be12547-ad82-4c83-8396-213466ceb003
info.magnolia.jcr.RuntimeRepositoryException: javax.jcr.AccessDeniedException: cannot read item 1be12547-ad82-4c83-8396-213466ceb003
at info.magnolia.jcr.decoration.NodePredicateContentDecorator.evaluateNode(NodePredicateContentDecorator.java:69)
at info.magnolia.rendering.engine.RenderingFilter.isVisible(RenderingFilter.java:157)
at info.magnolia.rendering.engine.RenderingFilter.doFilter(RenderingFilter.java:103)

Comment by Jan Haderka [ 14/Mar/12 ]

Should be fixed already by SCRUM-909. Recheck.

Comment by Espen Jervidalo [ 21/Mar/12 ]

I rechecked with current trunk. The exceptions are still thrown.

The exception should not print the whole stacktrace. Why is the Login-Screen shown? Some problem with accessing the parent node?

Comment by Jan Haderka [ 28/Mar/12 ]

Tested again on 4.5.1. Behavior is consistent. The reason why pages are not accessible is because STK/Demo Project pages need to access Site Root page in order to render properly. Since they are not allowed access, ContentSecurityFilter will redirect to login page.

Generated at Mon Feb 12 03:52:17 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.