[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1465) move and copy commands jump the permissions

Luca Stancapiano (JIRA) jira-events at lists.jboss.org
Sat May 26 07:45:08 EDT 2007 

move and copy commands jump the permissions
-------------------------------------------

                 Key: JBPORTAL-1465
                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1465
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal CMS
    Affects Versions: 2.6.Beta1
         Environment: eclipse , jboss as 4.0.5-cp4 and jboss portal taken from http://anonsvn.jboss.org/repos/portal/trunk
            Reporter: Luca Stancapiano
         Assigned To: Sohil Shah
             Fix For: 2.6 Final


When I log with an administrator different by "admin", I go into cms pannel of portal and I try to copy or move a file from a allowed space to a denied space, I have the error message that advise me that I haven't privileges to take that operation. But if I logout and then I enter again, I go into cms pannel and I see that my operation is succesfully done because the file is moved or copied anyway. Of course then I cannot to remove it because I've not permission in that zone. You can to test that operation moving default/support.html into / that ,in default, is allowed only to "admin" user. I've seen into the code that the permission access for copy and move operations is only for "from" path and there is no control for the "to" path Seeing method "hasManageAccess"  into org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class there is:

        else if(command instanceof MoveCommand)
        {
            path = ((MoveCommand)command).msFromPath;
        }      

and the same thing for copy command.
I modified this part in this mode:

    	else if(command instanceof MoveCommand)
    	{
         
    	    path = ((MoveCommand)command).msFromPath;
    	    hasManageAccess = this.computeAccess(user,path,"manage");

    	    if (hasManageAccess) 
    	    {
    	        path = ((MoveCommand)command).msToPath;
    	        hasManageAccess = this.computeAccess(user,path,"manage");
    	    }

    	}

adding permission control for "to" path. It seems ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list