[
https://issues.apache.org/jira/browse/FELIX-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434284#comment-17434284
]
Joel Dudley commented on FELIX-6467:
------------------------------------
Hi there, my name's Joel. I hope the description above is sufficient. I'll
monitor this ticket as well as my email ([email protected]). Thanks for taking
a look. Best, Joel.
> `AllPermission` not checked when updating `ConditionalPermissionAdmin`
> ----------------------------------------------------------------------
>
> Key: FELIX-6467
> URL: https://issues.apache.org/jira/browse/FELIX-6467
> Project: Felix
> Issue Type: Bug
> Components: Conditional Permission Admin
> Affects Versions: framework.security-2.8.1
> Reporter: Joel Dudley
> Priority: Major
>
> `ConditionalPermissionUpdate.commit()` should check whether the caller has
> `AllPermission` before committing the updated permissions. The Javadocs state:
> _"Throws:_
> _*SecurityException – If the caller does not have AllPermission.*_
> _IllegalStateException – If this update's Conditional Permissions are not
> valid or inconsistent. For example, this update has two Conditional
> Permissions in it with the same name"_
> This check is not performed (it is performed in the deprecated
> `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()`
> methods).
> As a result, there is no way to prevent arbitrary code that can access the
> `ConditionalPermissionAdmin` from modifying the permissions at will.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
