[
http://opensource.atlassian.com/projects/roller/browse/ROL-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Johnson resolved ROL-1511.
--------------------------------
Resolution: Fixed
Fix Version/s: (was: 4.0)
URL: http://svn.apache.org/viewvc?view=rev&rev=564401
Form correct URL for comment management
> Access to Comment Management page through email link results in Permission
> Denied except for global administrator
> -----------------------------------------------------------------------------------------------------------------
>
> Key: ROL-1511
> URL:
> http://opensource.atlassian.com/projects/roller/browse/ROL-1511
> Project: Roller
> Issue Type: Bug
> Components: Authentication, Roles and Access Controls
> Affects Versions: 3.1
> Environment: Roller version is 3.1
> APP. Server BEA 9.2
> Database oracle 9.2.4
> Java 1.5.0
> OS is Solaris 9/10
> Reporter: Henry Chang
> Assignee: David Johnson
> Fix For: 3.1.1
>
>
> Use Case:
> Blog entry creator clicks on "Link to comment management page:" in the email
> and enters Comment Management page.
> Result:
> Only global administrator can access Comment Management page, other users get
> a "Permission Denied" page.
> Reason:
> The code snippet is quoted from CommentManagementAction:query() method. The
> logic expects weblog handle in request but the email link does not provide it.
> if (rreq.getWebsite() != null &&
> rses.isUserAuthorized(rreq.getWebsite())) {
> fwd = mapping.findForward("commentManagement.page");
> }
> // Ensure only global admins can see all comments
> else if (rses.isGlobalAdminUser()) {
> fwd = mapping.findForward("commentManagementGlobal.page");
> }
> else {
> // And everybody else gets...
> return mapping.findForward("access-denied");
> }
> The email sends to a blog entry creator has a link to Comment Management
> page. This link is sent to roller-ui/authoring/commentManagement.do and
> contains two parameters, method and entryId. The
> CommentManagementAction:query() expects to find a weblog handle in request
> object to check for authorization but it could not find one, that breaks the
> if clause. Only the global administrator satisfies the else clause. Other
> users will be forward to "access-denied" page.
> Suggest Fix:
> The email link is generated by the sendEmailNotification() method in
> src\org\apache\roller\ui\rendering\servlets\CommentServlet.java and I quote:
>
> deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query&entryId="
> + entry.getId());
> Add weblog handle to this link:
>
> deleteURL.append("/roller-ui/authoring/commentManagement.do?method=query" +
> "&weblog=" + site.getName() + "&entryId=" + entry.getId());
> The weblog handle will be passed from email link into the request object and
> can be checked for authorization. The entryId can be used to bring up comment
> management page for this entry.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/roller/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
