[MAGNOLIA-572] ACL evaluation in case of exact match of path in different roles Created: 11/Oct/05  Updated: 23/Jan/13  Resolved: 26/Oct/05

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 2.1 Final
Fix Version/s: 3.0 Beta 1

Type: Bug Priority: Minor
Reporter: Tom Engel Assignee: Sameer Charles
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

When two roles define an ACL for the same path and both roles are assigned to a user, only the lowest permission for that path is taken by the access manager. Should be the highest available permission for that path, because the rights of the roles should always be summed up.



 Comments   
Comment by Philipp Bracher [ 12/Oct/05 ]

I had this problem too and would agree to this new practice

Comment by Alexandru Popescu [ 12/Oct/05 ]

+1

./alex

.w( the_mindstorm )p.

Comment by Sameer Charles [ 12/Oct/05 ]

done, on trunk

http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/cms/security/AccessManagerImpl.java
http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/cms/security/AccessManager.java

Comment by Tom Engel [ 12/Oct/05 ]

Sorry to bug you guys with that again, but there is still a bug in the code with mayor effects.

It can still happen that the order of the assigned roles to a user is defining the permissions to a certain path, not the permissions itself. And that's regardless if the higher or the lower permissions should be taken - although the new way to take the higher ones is better

Think of a user having two roles that set permissions to the same path on e.g. website
first: path=/*, permission=63
second: path=/*, permission=8

I just post the commented actual code now of AccessManagerImpl, to keep it short

// we want to check permissions for the path /*
public long getPermissions(String path) {
if (userPermissions == null)

{ return Permission.ALL; }

long permission = 0;
int patternLength = 0;
for (int i = 0; i < userPermissions.size(); i++) {
// I think we all agree, that after first iteration
// permission=63 and
// patternLength=2
// so we keep looking at second iteration:
Permission p = (Permission) userPermissions.get;
if (p.match(path)) {
// yes, we match again, so we go on
int l = p.getPattern().getLength();
// p.getPattern().getLength() is also 2, so patternLength == l
// but p.getPermissions() is 8 and so this (permission < p.getPermissions()) evaluates to false
if (patternLength == l && (permission < p.getPermissions()))

{ permission = p.getPermissions(); }

// p.getPattern().getLength() is also 2, so (patternLength <= l) evaluates to true
else if (patternLength <= l)

{ // so, here we are patternLength = l; // ok, it's the same anyway permission = p.getPermissions(); // BUG IN THIS LINE // before setting the permission to the value of the pattern, you have to // check if(permission < p.getPermissions()) because otherwise you overwrite this value with any permission smaller than the actual one }

}
}
// after iterations, this is 8, not 63...
return permission;
}

Sorry for being such a nag, but I think that's quite important.
Regards,
tom

Comment by Sameer Charles [ 12/Oct/05 ]

indeed its a bug, ll test it with the same scenario as yours and fix asap

Comment by Sameer Charles [ 12/Oct/05 ]

this wont solve the problem, there are other related problems while creating user permission list from JAAS authenticated subject.

Comment by Sameer Charles [ 12/Oct/05 ]

updated svn trunk, tested all possible scenarios.
Leaving this issue open untill we test it more

http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/jaas/sp/jcr/JCRLoginModule.java
http://svn.magnolia.info/svn/magnolia/trunk/magnolia-core/src/main/java/info/magnolia/cms/security/AccessManagerImpl.java

Generated at Mon Feb 12 03:18:45 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.