[jira] Created: (QPID-2107) Bug in ACL processing of exchangeBound()

Tim Platten (JIRA) Thu, 17 Sep 2009 02:27:23 -0700

Bug in ACL processing of exchangeBound()
----------------------------------------


                 Key: QPID-2107
                 URL: https://issues.apache.org/jira/browse/QPID-2107
             Project: Qpid
          Issue Type: Bug
          Components: C++ Broker
    Affects Versions: 0.5
            Reporter: Tim Platten


There is a bug in ACL exchangeBound() processing which incorrectly checks the 
"create exchange" action instead of "access exchange". 

ACL: 
acl allow tes...@qpid access exchange name=foo 

Code: 
    result = session->exchangeBound("foo"); 

Broker: 
2009-sep-08 09:12:17 info ACL Deny id:tes...@qpid action:create 
ObjectType:exchange Name:eurex.baclo
2009-sep-08 09:12:17 error Execution exception: not-allowed: ACL denied exhange 
bound request from tes...@qpid (qpid/broker/SessionAdapter.cpp:234)

I believe this is due to a bug in SessionAdapter::ExchangeHandlerImpl::bound
    if 
(!acl->authorise(getConnection().getUserId(),acl::ACT_CREATE,acl::OBJ_EXCHANGE,exchangeName,&params)
 )
should read :
    if 
(!acl->authorise(getConnection().getUserId(),acl::ACT_ACCESS,acl::OBJ_EXCHANGE,exchangeName,&params)
 )

Additionally, there is a typo where "exchange" is incorrectly spelt "exhange" 
in most ACL messages.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]

[jira] Created: (QPID-2107) Bug in ACL processing of exchangeBound()

Reply via email to