[ http://jira.magnolia.info/browse/MAGNOLIA-572?page=comments#action_11377
]
Tom Engel commented on MAGNOLIA-572:
------------------------------------
Sorry to bug you guys with that again, but there is still a bug in the code
with mayor effects.
It can still happen that the order of the assigned roles to a user is defining
the permissions to a certain path, not the permissions itself. And that's
regardless if the higher or the lower permissions should be taken - although
the new way to take the higher ones is better ;-)
Think of a user having two roles that set permissions to the same path on e.g.
website
first: path=/*, permission=63
second: path=/*, permission=8
I just post the commented actual code now of AccessManagerImpl, to keep it short
// we want to check permissions for the path /*
public long getPermissions(String path) {
if (userPermissions == null) {
return Permission.ALL;
}
long permission = 0;
int patternLength = 0;
for (int i = 0; i < userPermissions.size(); i++) {
// I think we all agree, that after first iteration
// permission=63 and
// patternLength=2
// so we keep looking at second iteration:
Permission p = (Permission) userPermissions.get(i);
if (p.match(path)) {
// yes, we match again, so we go on
int l = p.getPattern().getLength();
// p.getPattern().getLength() is also 2, so patternLength == l
// but p.getPermissions() is 8 and so this (permission < p.getPermissions())
evaluates to false
if (patternLength == l && (permission < p.getPermissions())) {
permission = p.getPermissions();
}
// p.getPattern().getLength() is also 2, so (patternLength <= l) evaluates to
true
else if (patternLength <= l) {
// so, here we are
patternLength = l; // ok, it's the same anyway
permission = p.getPermissions(); // BUG IN THIS LINE
// before setting the permission to the value of the pattern, you have to
// check if(permission < p.getPermissions()) because otherwise you overwrite
this value with any permission smaller than the actual one
}
}
}
// after iterations, this is 8, not 63...
return permission;
}
Sorry for being such a nag, but I think that's quite important.
Regards,
tom
> ACL evaluation in case of exact match of path in different roles
> ----------------------------------------------------------------
>
> Key: MAGNOLIA-572
> URL: http://jira.magnolia.info/browse/MAGNOLIA-572
> Project: magnolia wcm
> Type: Bug
> Components: core
> Versions: 2.1 Final
> Reporter: Tom Engel
> Assignee: Sameer Charles
> Priority: Minor
> Fix For: 2.2 M1
>
>
> When two roles define an ACL for the same path and both roles are assigned to
> a user, only the lowest permission for that path is taken by the access
> manager. Should be the highest available permission for that path, because
> the rights of the roles should always be summed up.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
