On Feb 13, 2008, at 3:18 PM, David Jencks wrote:
On Feb 13, 2008, at 3:01 PM, Dave wrote:
On Feb 12, 2008 6:31 PM, David Jencks <[EMAIL PROTECTED]> wrote:
On Feb 12, 2008, at 3:16 PM, David Jencks wrote:
I started looking at the UserManager and Permissions and have a
couple immediate questions...
Is the set of possible actions finite and known (when roller is
compiled) or is it extensible by the user? If it's known I'm going
to propose essentially a bitset implementation for actions.
Are the following really intentional?
oops, these are supposed to be Collections.singletonList() etc.
new GlobalPermission(Arrays.emptyList()).implies(new
GlobalPermission(Arrays.singletonList("ADMIN"))) == true
new GlobalPermission(Arrays.singletonList("FOO")).implies(new
GlobalPermision(Arrays.singletonList("BAR"))) == true
and many other similar examples with WebLogPermission. This seems
to me like asking for trouble.
Similarly, is the name really supposed to be ignored in both implies
methods?
new WebLogPermission(wl1, Collections.singletonList
("Admin")).implies
(new WebLogPermission(wl2, Collections.singletonList("Admin")))
== true
similarly for GlobalPermission's user...
etc etc
No. That definitely looks like a bug.
I'm working on a fairly major security-revamping proposal that will
fix this as a side effect.... hope to have something in a day or two.
The patch on ROLLER-1680 fixes these and many other problems,
although of course it might introduce lots of new ones.
thanks
david jencks
thanks
david jencks
- Dave
