[jboss-jira] [JBoss JIRA] Updated: (JBPORTAL-2462) PortalNode permissions check problem for child Windows

Sun Nov 1 00:03:06 EDT 2009

     [ https://jira.jboss.org/jira/browse/JBPORTAL-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Pemberton updated JBPORTAL-2462:
-------------------------------------

    Attachment: portalnode-permissions.patch


> PortalNode permissions check problem for child Windows
> ------------------------------------------------------
>
>                 Key: JBPORTAL-2462
>                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2462
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Core
>    Affects Versions: 2.6.8 Final, 2.7.2 Final
>            Reporter: Andy Pemberton
>         Attachments: portalnode-permissions.patch
>
>
> I believe there is an issue in the PortalNode API when building the map of children for a given node.  The issue lies in the strategy for checking the permissions on a Page (PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission - configured in portlet-instances.xml). 
> The current implementation:  PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl objectNode) checks permissions for each child node as follows:
> ...
> if (!visible)
> {
> 	visible = portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
> }
> ...
> The problem here is that when building the child map for a page, the children may be either other Pages or portlet Windows; the current code only correctly checks permissions for child Pages.
> I think the above code should check the permissions as follows:
> ...
> if (!visible)
> {
> 	if (childObject.getType() == PortalObject.TYPE_WINDOW)
> 	{
> 		visible = objectNode.portalAuthorizationManager.checkPermission(new InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION));
> 	} else {
> 		visible = objectNode.portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
> 	}
> }
> ...
> This issue may be less apparent because the implementation first checks the 'viewrecursive' permission on pages and if it exists, doesn't check the window permissions at all. One way to reproduce the issue is to ensure a given page is secured with 'view' permission only and then use the PortalNode API to create a link from one portlet to another on the same page (as suggested in section 13.9.3 of the reference guide: 'Link to other pages' http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).
> I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch that I've tested against 2.6.5.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira