[MAGNOLIA-572] ACL evaluation in case of exact match of path in different roles Created: 11/Oct/05 Updated: 23/Jan/13 Resolved: 26/Oct/05 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | 2.1 Final |
| Fix Version/s: | 3.0 Beta 1 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Tom Engel | Assignee: | Sameer Charles |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Date of First Response: |
| Description |
|
When two roles define an ACL for the same path and both roles are assigned to a user, only the lowest permission for that path is taken by the access manager. Should be the highest available permission for that path, because the rights of the roles should always be summed up. |
| Comments |
| Comment by Philipp Bracher [ 12/Oct/05 ] |
|
I had this problem too and would agree to this new practice |
| Comment by Alexandru Popescu [ 12/Oct/05 ] |
|
+1 ./alex |
| Comment by Sameer Charles [ 12/Oct/05 ] |
|
done, on trunk http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/cms/security/AccessManagerImpl.java |
| Comment by Tom Engel [ 12/Oct/05 ] |
|
Sorry to bug you guys with that again, but there is still a bug in the code with mayor effects. It can still happen that the order of the assigned roles to a user is defining the permissions to a certain path, not the permissions itself. And that's regardless if the higher or the lower permissions should be taken - although the new way to take the higher ones is better Think of a user having two roles that set permissions to the same path on e.g. website I just post the commented actual code now of AccessManagerImpl, to keep it short // we want to check permissions for the path /* long permission = 0; // p.getPattern().getLength() is also 2, so (patternLength <= l) evaluates to true } Sorry for being such a nag, but I think that's quite important. |
| Comment by Sameer Charles [ 12/Oct/05 ] |
|
indeed its a bug, ll test it with the same scenario as yours and fix asap |
| Comment by Sameer Charles [ 12/Oct/05 ] |
|
this wont solve the problem, there are other related problems while creating user permission list from JAAS authenticated subject. |
| Comment by Sameer Charles [ 12/Oct/05 ] |
|
updated svn trunk, tested all possible scenarios. http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/jaas/sp/jcr/JCRLoginModule.java |