[Roller-JIRA] Created: (ROL-1511) Access to Comment Management page through email link results in Permission Denied except for global administrator

Tue, 31 Jul 2007 12:16:51 -0700 

Access to Comment Management page through email link results in Permission 
Denied except for global administrator
-----------------------------------------------------------------------------------------------------------------

                 Key: ROL-1511
                 URL: 
http://opensource.atlassian.com/projects/roller/browse/ROL-1511
             Project: Roller
          Issue Type: Bug
          Components: Authentication, Roles and Access Controls
    Affects Versions: 3.1
         Environment: Roller version is 3.1
APP. Server BEA 9.2
Database oracle 9.2.4
Java 1.5.0
OS is Solaris 9/10
            Reporter: Henry Chang
            Assignee: Roller Unassigned


Use Case:
Blog entry creator clicks on "Link to comment management page:" in the email 
and enters Comment Management page.

Result:
Only global administrator can access Comment Management page, other users get a 
"Permission Denied" page.

Reason:
The code snippet is quoted from CommentManagementAction:query() method. The 
logic expects weblog handle in request but the email link does not provide it.
        if (rreq.getWebsite() != null && 
rses.isUserAuthorized(rreq.getWebsite())) {
            fwd =  mapping.findForward("commentManagement.page");
        }
        // Ensure only global admins can see all comments
        else if (rses.isGlobalAdminUser()) {
            fwd =  mapping.findForward("commentManagementGlobal.page");
        } 
        else {
            // And everybody else gets...
            return mapping.findForward("access-denied");
        }        
The email sends to a blog entry creator has a link to Comment Management page. 
This link is sent to roller-ui/authoring/commentManagement.do and contains two 
parameters, method and entryId. The CommentManagementAction:query() expects to 
find a weblog handle in request object to check for authorization but it could 
not find one, that breaks the if clause. Only the global administrator 
satisfies the else clause. Other users will be forward to "access-denied" page.

Suggest Fix:
The email link is generated by the sendEmailNotification() method in 
src\org\apache\roller\ui\rendering\servlets\CommentServlet.java and I quote:
        
deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query&entryId="
 + entry.getId());
Add weblog handle to this link:
        
deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query" + 
"&weblog=" + site.getName() + "&entryId=" + entry.getId());
The weblog handle will be passed from email link into the request object and 
can be checked for authorization. The entryId can be used to bring up comment 
management page for this entry.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://opensource.atlassian.com/projects/roller/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to