DO NOT REPLY [Bug 40609] - tab.acAuthoring throws exception and corrupts ac data

Thu, 28 Sep 2006 03:11:15 -0700 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40609>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40609





------- Additional Comments From [EMAIL PROTECTED]  2006-09-28 10:07 -------
http://svn.apache.org/viewvc/lenya/trunk/src/modules-core/ac-impl/java/src/org/apache/lenya/ac/impl/PolicyAuthorizer.java?view=markup
 protected boolean authorizePolicy(
        Identity identity,
        Request request,
        String webappUrl)
...
Credential[] credentials = policy.getCredentials(identity);
        for (int i = 0; i < credentials.length; i++) {
                        Credential credential = credentials[i];
                        for (int j = 0; j < roles.length; j++) {
                            Role role = roles[j];
                            if (credential.contains(role)){
                                    String method=credential.getMethod();
                                    if (method.equals(CredentialImpl.GRANT)){
                                        authorized=true;
                                    }
                                    out=true;
                                    break;
                                }
                        }
                        if(out)
                            break;
                }
        saveRoles(request, roles);
        return authorized;
...

Write now we follow with above code 
http://lenya.apache.org/docs/1_4/reference/ac.html#Concept
"When a credential is found which assigns the role r to the accreditable a,
return the method of the credential."

The problem is that the request right now *does not* attach the requested role
(but all possible roles for the user) to the request. Meaning the above looks
into role[] and test each role. If we find a deny then we return false. 

What this bug report means is to extend this method to test each role[] and if
it is denyied then remove the role[it] from the array. If we traversed all roles
and roles.length == 0 then we return false otherwise true (authorised with a
role that did not got denied).


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to