Brian, thanks for the response, but the document cited does not cover the question nor do the test cases.
If we take the first two examples in the missing parts section: it clearly states that ( assume the symbol => means implies) printer:print => printer:print:* but says noting about printer:print:* => printer:print I think that this statement is false. Logically the addition of the ":*" should indicate that permissions are grated to things under "printer:print" but not to "printer:print" itself. I hope this makes sense. Claude On Tue, Jan 23, 2018 at 2:48 PM, Brian Demers <[email protected]> wrote: > Hey Claude, I thought someone responded to this already (sorry) > > To me, this seems in line with the doc: > https://shiro.apache.org/permissions.html#missing-parts > At first glance, there are similar test cases in `WildcardPermissionTest > <https://github.com/apache/shiro/blob/master/core/src/ > test/java/org/apache/shiro/authz/permission/WildcardPermissionTest.java# > L143> > ` > > Does that help clear things up? If not maybe a PR to that test class would > help clarify the point? > > Thanks! > -Brian > > > On Tue, Jan 23, 2018 at 5:36 AM, [email protected] < > [email protected]> wrote: > > > Not seeing any discussion of this and seeing no tests in the test cases > > that perform any tests of this issue. I will open a defect and work on > > that. > > > > > > Claude > > > > ________________________________ > > From: Claude Warren (Product Engineering Service) > > Sent: Friday, January 12, 2018 12:52:52 PM > > To: [email protected] > > Subject: Defect in WildcardPermission evaluation? > > > > > > Currently the WildcardPermission.implies() method contains the following > > code snippet and comment. > > > > > > // If this permission has less parts than the other permission, > everything > > after the number of parts contained > > // in this permission is automatically implied, so return true > > .... > > > > > > // If this permission has more parts than the other parts, only imply it > > if all of the other parts are wildcards > > for (; i < getParts().size(); i++) { > > Set<String> part = getParts().get(i); > > if (!part.contains(WILDCARD_TOKEN)) { > > return false; > > } > > } > > > > > > This means that If you have (User perms in first col, testing against > > across columns) > > {noformat} > > > > > > A A:* A:B A:B:* A:B:C A:B:C:* > > A t t t t t t > > A:* T > > t t t t t > > A:B f f t t t t > > A:B:* f f T t t t > > A:B:C f f f f t t > > A:B:C:* f f f f T t > > > > {noformat} > > > > I think the issues are where the upper case "T"s are. I believe that > > those should be "F" > > > > The logic being that once a separator (:) is presented it should no > longer > > match anything shorter than that. > > > > Thoughts? > > Claude > > > > > > The information contained in this electronic message and any attachments > > to this message are intended for the exclusive use of the addressee(s) > and > > may contain proprietary, confidential or privileged information. If you > are > > not the intended recipient, you should not disseminate, distribute or > copy > > this e-mail. Please notify the sender immediately and destroy all copies > of > > this message and any attachments. WARNING: Computer viruses can be > > transmitted via email. The recipient should check this email and any > > attachments for the presence of viruses. The company accepts no liability > > for any damage caused by any virus transmitted by this email. > > www.wipro.com > > > > ______________________________________________________________________ > > This email has been scanned by the Symantec Email Security.cloud service. > > For more information please visit http://www.symanteccloud.com > > ______________________________________________________________________ > > > -- I like: Like Like - The likeliest place on the web <http://like-like.xenei.com> LinkedIn: http://www.linkedin.com/in/claudewarren
