Joern Nettingsmeier wrote:
Andreas Hartmann wrote:
Hi Jörn,
Since this commit there's no need to log in anymore to view the
authoring area (reproducable on the zone demo). I hope there is
a better solution to the problem :)
ouch!
that is quite embarrassing... i should have tested that.
however, i don't really see how this came about - looks like a bug in
the underlying ac code. will have to check...
sorry for this fuckup,
the bug is in the ac code.
my naive assumption was that usecases are authorized according to the
usecase-policies.xml file, which maps usecases to roles.
roles are mapped to accreditables using the subtree-policy.xml files,
right? and then the usecase authorizer checks if a required role is held
for the requested document and usecase.
so far so good.
i further assumed that the right to visit pages is handled by the
"visit" role. based on this assumption i created the patch.
now here is the function that (iiuc) takes care of authorization:
protected boolean authorizePolicy(
Identity identity,
Request request,
String webappUrl)
throws AccessControlException {
Role[] roles =
getPolicyManager().getGrantedRoles(getAccreditableManager(), identity,
webappUrl);
saveRoles(request, roles);
return roles.length > 0;
}
which to me sounds like "hey, you have any old role? fine, come on in."
even if the assigned role is "fuckoff", or, as in this case, "session".
this is really really wrong!
the authorizer that is invoked when documents are accessed needs to
check for a particular role "visit", or maybe (since we are in
authoring), for "visit OR admin OR review OR edit" (although i'd prefer
to add an explicit "visit" role to all people who will need to use the
authoring area), not just for roles.length > 0.
the assumption that users will not create any other roles and we can cut
corners like this is obviously ill-advised. :-D
sorry, but i can't fix this one myself since i have not yet found my way
around the new ac code. anyone else?
i'm adding this as a blocker bug for now.
--
Jörn Nettingsmeier
Kurt is up in heaven now.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
