[MGNLIMG-36] Review access control Created: 14/May/09  Updated: 04/Nov/15  Resolved: 04/Nov/15

Status: Closed
Project: Imaging
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major
Reporter: Magnolia International Assignee: Magnolia International
Resolution: Won't Do Votes: 0
Labels: verify
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLIMG-83 Compatibility with core 4.4 Closed
supersession
supersedes MGNLIMG-54 Permissions for pre-caching and readi... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   
  1. WorkspaceAndNodeParameterProviderFactory (for instance) should load the "source" node with the user's session
  2. it should use AccessManager to check for access to the source node even if we don't need to load it
  3. If 1) and 2), then it should be safe to use the SystemContext to store the generated image
  4. Loading the generated image (cached) should still happen with the user's session, so that access to that workspace can also be restricted, no matter what the source node is (if any) nor what the ParameterProviderFactory is.


 Comments   
Comment by Magnolia International [ 10/Jun/09 ]

See MGNLIMG-54: we now have a base role that has the appropriate permissions.
We might want to diminish those permissions and apply the above, or let it go altogether.

Comment by Christopher Zimmermann [ 05/Dec/13 ]

For generated images - should check if the user has access to the source image it was generated from.

Comment by Michael Mühlebach [ 04/Nov/15 ]

Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes.
Thanks for taking the time to raise this issue. As you are no doubt aware this issue has been on our backlog for some time now with very little movement.
I'm going to close this to set expectations so the issue doesn't stay open for years with few updates. If the issue is still relevant please feel free to reopen it or create a new issue.

Generated at Mon Feb 12 02:11:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.