[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-2462) PortalNode permissions check problem for child Windows
Andy Pemberton (JIRA)
jira-events at lists.jboss.org
Sun Nov 1 00:03:06 EDT 2009
PortalNode permissions check problem for child Windows
------------------------------------------------------
Key: JBPORTAL-2462
URL: https://jira.jboss.org/jira/browse/JBPORTAL-2462
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal Core
Affects Versions: 2.7.2 Final, 2.6.8 Final
Reporter: Andy Pemberton
Attachments: portalnode-permissions.patch
I believe there is an issue in the PortalNode API when building the map of children for a given node. The issue lies in the strategy for checking the permissions on a Page (PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission - configured in portlet-instances.xml).
The current implementation: PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl objectNode) checks permissions for each child node as follows:
...
if (!visible)
{
visible = portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
...
The problem here is that when building the child map for a page, the children may be either other Pages or portlet Windows; the current code only correctly checks permissions for child Pages.
I think the above code should check the permissions as follows:
...
if (!visible)
{
if (childObject.getType() == PortalObject.TYPE_WINDOW)
{
visible = objectNode.portalAuthorizationManager.checkPermission(new InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION));
} else {
visible = objectNode.portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
}
...
This issue may be less apparent because the implementation first checks the 'viewrecursive' permission on pages and if it exists, doesn't check the window permissions at all. One way to reproduce the issue is to ensure a given page is secured with 'view' permission only and then use the PortalNode API to create a link from one portlet to another on the same page (as suggested in section 13.9.3 of the reference guide: 'Link to other pages' http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).
I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch that I've tested against 2.6.5.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list