[ https://issues.apache.org/jira/browse/QPID-4775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pavel Moravec updated QPID-4775: -------------------------------- Attachment: bz955674.patch Patch proposal (applicable to 0.18 broker but can differ from 0.20 in line positions only). > ACL delete action should not ignore object's properties other than name > ----------------------------------------------------------------------- > > Key: QPID-4775 > URL: https://issues.apache.org/jira/browse/QPID-4775 > Project: Qpid > Issue Type: Improvement > Components: C++ Broker > Affects Versions: 0.18, 0.20 > Reporter: Pavel Moravec > Priority: Minor > Labels: patch, security > Attachments: bz955674.patch > > > Description of problem: > ACL rule like: > acl allow all delete queue autodelete=true > should allow deletion of autodelete queues _only_. While any queue can be > deleted. The same applies to any object's property other than queue's name > (see Broker::deleteQueue method and how acl->authorise is called). > The same applies not only to queues but also to exchanges. > Version-Release number of selected component (if applicable): > any > How reproducible: > 100% > Steps to Reproduce: > 1. cat <acl-file> > # simply allow all except for deleting non-durable queue > acl allow-log all consume all > acl allow-log all publish all > acl allow-log all create all > acl allow-log all access all > acl allow-log all bind all > acl allow-log all unbind all > acl allow-log all purge all > acl allow-log all update all > acl allow-log all delete exchange > acl allow-log all delete queue durable=true > acl deny-log all all > 2. Start broker with auth=yes and the ACL file > 3. qpid-config -b admin/admin@localhost:5672 add queue TransientQueue > 4. qpid-config -b admin/admin@localhost:5672 del queue TransientQueue > Actual results: > Steps 3 and 4 pass. > Expected results: > Deleting queue should fail, as the queue is not durable. > In fact, even _creating_ the queue that way should raise an exception, as > deleting auxiliary queue named like > "4135cd9e-04b8-4cef-bcd0-5404444d7a04:0.0" (where the qpid-config gets > response) should fail. > Additional info: > Same scenarios are applicable for all other queue properties and/or exchange > properties. Just queue/exchange name is checked. > Patch proposed. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org