[jira] [Created] (QPID-4775) ACL delete action should not ignore object's properties other than name

Thu, 25 Apr 2013 00:06:24 -0700 

Pavel Moravec created QPID-4775:
-----------------------------------

             Summary: ACL delete action should not ignore object's properties 
other than name
                 Key: QPID-4775
                 URL: https://issues.apache.org/jira/browse/QPID-4775
             Project: Qpid
          Issue Type: Improvement
          Components: C++ Broker
    Affects Versions: 0.20, 0.18
            Reporter: Pavel Moravec
            Priority: Minor


Description of problem:
ACL rule like:

acl allow all delete queue autodelete=true

should allow deletion of autodelete queues _only_. While any queue can be 
deleted. The same applies to any object's property other than queue's name (see 
Broker::deleteQueue method and how acl->authorise is called).

The same applies not only to queues but also to exchanges.


Version-Release number of selected component (if applicable):
any


How reproducible:
100%


Steps to Reproduce:
1. cat <acl-file>
# simply allow all except for deleting non-durable queue
acl allow-log all consume all
acl allow-log all publish all
acl allow-log all create all
acl allow-log all access all
acl allow-log all bind all
acl allow-log all unbind all
acl allow-log all purge all
acl allow-log all update all
acl allow-log all delete exchange
acl allow-log all delete queue durable=true
acl deny-log all all

2. Start broker with auth=yes and the ACL file
3. qpid-config -b admin/admin@localhost:5672 add queue TransientQueue
4. qpid-config -b admin/admin@localhost:5672 del queue TransientQueue


Actual results:
Steps 3 and 4 pass.


Expected results:
Deleting queue should fail, as the queue is not durable.

In fact, even _creating_ the queue that way should raise an exception, as 
deleting auxiliary queue named like "4135cd9e-04b8-4cef-bcd0-5404444d7a04:0.0" 
(where the qpid-config gets response) should fail.


Additional info:
Same scenarios are applicable for all other queue properties and/or exchange 
properties. Just queue/exchange name is checked.

Patch proposed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to