[Roller-JIRA] Updated: (ROL-1511) Access to Comment Management page through email link results in Permission Denied except for global administrator

Sun, 05 Aug 2007 05:46:50 -0700 

     [ 
http://opensource.atlassian.com/projects/roller/browse/ROL-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Johnson updated ROL-1511:
-------------------------------

         Assignee: David Johnson  (was: Roller Unassigned)
    Fix Version/s: 4.0
                   3.1.1

> Access to Comment Management page through email link results in Permission 
> Denied except for global administrator
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: ROL-1511
>                 URL: 
> http://opensource.atlassian.com/projects/roller/browse/ROL-1511
>             Project: Roller
>          Issue Type: Bug
>          Components: Authentication, Roles and Access Controls
>    Affects Versions: 3.1
>         Environment: Roller version is 3.1
> APP. Server BEA 9.2
> Database oracle 9.2.4
> Java 1.5.0
> OS is Solaris 9/10
>            Reporter: Henry Chang
>            Assignee: David Johnson
>             Fix For: 3.1.1, 4.0
>
>
> Use Case:
> Blog entry creator clicks on "Link to comment management page:" in the email 
> and enters Comment Management page.
> Result:
> Only global administrator can access Comment Management page, other users get 
> a "Permission Denied" page.
> Reason:
> The code snippet is quoted from CommentManagementAction:query() method. The 
> logic expects weblog handle in request but the email link does not provide it.
>         if (rreq.getWebsite() != null && 
> rses.isUserAuthorized(rreq.getWebsite())) {
>             fwd =  mapping.findForward("commentManagement.page");
>         }
>         // Ensure only global admins can see all comments
>         else if (rses.isGlobalAdminUser()) {
>             fwd =  mapping.findForward("commentManagementGlobal.page");
>         } 
>         else {
>             // And everybody else gets...
>             return mapping.findForward("access-denied");
>         }        
> The email sends to a blog entry creator has a link to Comment Management 
> page. This link is sent to roller-ui/authoring/commentManagement.do and 
> contains two parameters, method and entryId. The 
> CommentManagementAction:query() expects to find a weblog handle in request 
> object to check for authorization but it could not find one, that breaks the 
> if clause. Only the global administrator satisfies the else clause. Other 
> users will be forward to "access-denied" page.
> Suggest Fix:
> The email link is generated by the sendEmailNotification() method in 
> src\org\apache\roller\ui\rendering\servlets\CommentServlet.java and I quote:
>         
> deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query&entryId="
>  + entry.getId());
> Add weblog handle to this link:
>         
> deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query" + 
> "&weblog=" + site.getName() + "&entryId=" + entry.getId());
> The weblog handle will be passed from email link into the request object and 
> can be checked for authorization. The entryId can be used to bring up comment 
> management page for this entry.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://opensource.atlassian.com/projects/roller/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to