[jboss-jira] [JBoss JIRA] Resolved: (JBPORTAL-1465) move and copy commands jump the permissions

Sohil Shah (JIRA) jira-events at lists.jboss.org
Wed May 30 17:34:08 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBPORTAL-1465?page=all ]

Sohil Shah resolved JBPORTAL-1465.
----------------------------------

    Resolution: Done

> move and copy commands jump the permissions
> -------------------------------------------
>
>                 Key: JBPORTAL-1465
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1465
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.Beta1
>         Environment: eclipse , jboss as 4.0.5-cp4 and jboss portal taken from http://anonsvn.jboss.org/repos/portal/trunk
>            Reporter: Luca Stancapiano
>         Assigned To: Sohil Shah
>             Fix For: 2.6 Final
>
>         Attachments: ACLEnforcer.java
>
>
> When I log with an administrator different by "admin", I go into cms pannel of portal and I try to copy or move a file from a allowed space to a denied space, I have the error message that advise me that I haven't privileges to take that operation. But if I logout and then I enter again, I go into cms pannel and I see that my operation is succesfully done because the file is moved or copied anyway. Of course then I cannot to remove it because I've not permission in that zone. You can to test that operation moving default/support.html into / that ,in default, is allowed only to "admin" user. I've seen into the code that the permission access for copy and move operations is only for "from" path and there is no control for the "to" path Seeing method "hasManageAccess"  into org.jboss.portal.cms.impl.jcr.command.ACLEnforcer class there is:
>         else if(command instanceof MoveCommand)
>         {
>             path = ((MoveCommand)command).msFromPath;
>         }      
> and the same thing for copy command.
> I modified this part in this mode:
>     	else if(command instanceof MoveCommand)
>     	{
>          
>     	    path = ((MoveCommand)command).msFromPath;
>     	    hasManageAccess = this.computeAccess(user,path,"manage");
>     	    if (hasManageAccess) 
>     	    {
>     	        path = ((MoveCommand)command).msToPath;
>     	        hasManageAccess = this.computeAccess(user,path,"manage");
>     	    }
>     	}
> adding permission control for "to" path. It seems ok. May you try?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list