[JBoss JIRA] Created: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
6:14 a.m.
ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders
have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but read
is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:20 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
[ http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=comments#action_1238... ]
Mariusz Smykula commented on JBPORTAL-1742:
-------------------------------------------
Ok, computeToolAccess have interesting comment, but why this method is included in
ACLInterceptor? I want to access CMS resources from my custom portlet and list them.
* This is used to filter out cms resources in the CMS Admin tool, so that the user
* can see only the resources that he has write/manage access to
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:13 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
[ http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=comments#action_1238... ]
Mariusz Smykula commented on JBPORTAL-1742:
-------------------------------------------
In class ACLInterceptor (line: 270) is this code necessary?
securityContext.removeAttribute("command");
without this line, the ACLEnforcer know than my anonymous user want read subfolders, and
then show folders to him.
For full explanation:
* Logged user can see subfolders without write or manage permission (only read is needed).
* Anonymous user cant see subfolders with read permission - subfolders must be write or
manage for Anonymous.
I think this is bad behavior.
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:50 a.m.
New subject: [JBoss JIRA] Updated: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
[ http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=all ]
Thomas Heute updated JBPORTAL-1742:
-----------------------------------
Fix Version/s: 2.6.3 Final
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
Fix For: 2.6.3 Final
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:15 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
[ http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=comments#action_1238... ]
Mariusz Smykula commented on JBPORTAL-1742:
-------------------------------------------
Removing line 270 is not good idea.
Solution than work for my is:
change in ACLInterceptor (line 138) from
hasAccess = this.computeToolAccess(loggedInUser, path);
to
hasAccess = this.computeAccess(loggedInUser, path,"read");
computeToolAccess is method dedicated for CMSAdminPortlet:
Comment from code
// * This is used to filter out cms resources in the CMS Admin tool, so that the user
// * can see only the resources that he has write/manage access to
computeAccess(loggedInUser, path,"read") make real checking for READ access to
listed resouce.
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
Fix For: 2.6.3 Final
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:07 a.m.
New subject: [JBoss JIRA] Resolved: (JBPORTAL-1742) ACLEnforcer - folder.getFolders() give results for Anonymus user only if child folders have write or manage permssion for anonymous (read is not enough)
[ http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=all ]
Sohil Shah resolved JBPORTAL-1742.
----------------------------------
Resolution: Rejected
Mariusz-
This is actually not a bug. The FolderGetListCommand that comes part of the core cms
codebase is designed to support the CMS Admin tool along with the security semantics that
go along with it, provided by the
ACLInterceptor and ACLEnforcer.
If you need to access the data outside the context of the CMS Admin tool (which is a
custom portlet in your case), a clean solution would be to create your own cms command
(basically the same as FolderGetListCommand). This new command will be outside the context
of the CMS Admin tool security context and you should be able to get your resources the
way your portlet prefers them to be
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
Fix For: 2.6.3 Final
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6253
days inactive
6300
days old
5 comments
3 participants
participants (3)
-
Mariusz Smykula (JIRA) -
Sohil Shah (JIRA)
-
Thomas Heute (JIRA)