All, in reviewing the permissions of some objects I have a concern about
how create_or_update is being used. For example, in WidgetCommentService
the save method looks like this:
@PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
void saveWidgetComment(WidgetComment widgetComment);
When looking at the permission evaluator it has this logic
case CREATE:
case CREATE_OR_UPDATE:
hasPermission = isWidgetCommentOwnerById(authentication,
widgetComment.getUser().getId());
break;
case DELETE:
case UPDATE:
// anyone can create, delete, read, or update a page that
they own
hasPermission = isWidgetCommentOwner(authentication,
widgetComment, trustedWidgetCommentContainer, trustedDomainObject);
break;
So, CREATE and CREATE_OR_UPDATE have the same permission check (to see if
the userID of the user and the object passed in match). This is very
different than the update method which actually retrieves the DB version of
the object and checks the user ID on that against the logged in user.
I think the UI is properly protecting the resource in question but the WS
doesn't seem to be. Also, ironically, the update method doesn't actually
check to see if the userID from the DB matches the userID of the passed in
object. Maybe that is caught later.
Let me know if I'm missing something since I didn't write this original
code. If this is really a problem this isn't the only place. For example
see [1]
Chris
[1] https://issues.apache.org/jira/browse/RAVE-781
