[jboss-jira] [JBoss JIRA] Updated: (JBPORTAL-2033) User with only read-permissions on a folder cannot read a folder

Sohil Shah (JIRA) jira-events at lists.jboss.org
Thu Jun 26 15:50:59 EDT 2008 

     [ http://jira.jboss.com/jira/browse/JBPORTAL-2033?page=all ]

Sohil Shah updated JBPORTAL-2033:
---------------------------------

        Fix Version/s: 2.6.6 Final
    Affects Version/s: 2.6.5 SP1

tentatively evaluate to fix in the 2.6.6 timeframe

> User with only read-permissions on a folder cannot read a folder
> ----------------------------------------------------------------
>
>                 Key: JBPORTAL-2033
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-2033
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.5 SP1
>            Reporter: Wulf Rowek
>         Assigned To: Sohil Shah
>             Fix For: 2.6.6 Final
>
>
> In the ACLInterceptor is special part of code (applyFilter method), which was obousily created to hide items from a user which have no write access and browse in a tool portlet (i.e. CMSAdmin)
> but this aim should not be satisfied on ACL-Level, in my opinion, cause it's a contradiction, that a user have read permission but cannot read the item.
> and to read a folder by a user seems to be a legitimate request, even if he has no write permission, i.e. to build a folder-index and browse a folder.
> possible solution: specify the need of the result in the command (i.e. only read or something else) and don't filter, if the result of the command will be needed for reading only.
> or maybe better: filter on application level, after the result was catched from the command by the excecuter
> at this moment, i just commented out this line in applyFiler
> securityContext.removeAttribute("command");
> to disable this feature at all and to give read-permitted users read access

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list