>-----Original Message----- >From: Chris Geer [mailto:[email protected]] >Sent: Friday, August 31, 2012 3:20 AM >To: dev >Subject: Permissions > >All, in reviewing the permissions of some objects I have a concern about >how create_or_update is being used. For example, in >WidgetCommentService >the save method looks like this: > > @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')") > void saveWidgetComment(WidgetComment widgetComment); > >When looking at the permission evaluator it has this logic > > case CREATE: > case CREATE_OR_UPDATE: > hasPermission = isWidgetCommentOwnerById(authentication, >widgetComment.getUser().getId()); > break; > case DELETE: > case UPDATE: > // anyone can create, delete, read, or update a page that >they own > hasPermission = isWidgetCommentOwner(authentication, >widgetComment, trustedWidgetCommentContainer, trustedDomainObject); > break; > >So, CREATE and CREATE_OR_UPDATE have the same permission check (to see >if >the userID of the user and the object passed in match). This is very >different than the update method which actually retrieves the DB version of >the object and checks the user ID on that against the logged in user.
IMO, CREATE_OR_UPDATE does not make sense in this context. The above check seems to make sense for a CREATE permission only. > >I think the UI is properly protecting the resource in question but the WS >doesn't seem to be. Also, ironically, the update method doesn't actually >check to see if the userID from the DB matches the userID of the passed in >object. Maybe that is caught later. > >Let me know if I'm missing something since I didn't write this original >code. If this is really a problem this isn't the only place. For example >see [1] > >Chris > > >[1] https://issues.apache.org/jira/browse/RAVE-781
