[JIRA] Commented: (NXP-2264) user management screen complains if user does not have WriteSecurity directly

Wed, 02 Apr 2008 10:06:16 -0700 

    [ 
http://jira.nuxeo.org/browse/NXP-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=34785#action_34785
 ] 

Olivier Grisel commented on NXP-2264:
-------------------------------------

Proposed patch (currently under testing):

diff --git 
a/nuxeo-platform-webapp-core/src/main/java/org/nuxeo/ecm/webapp/security/SecurityActionsBean.java
 
b/nuxeo-platform-webapp-core/src/main/java/org/nuxeo/ecm/webapp/security/SecurityActionsBean.java
--- 
a/nuxeo-platform-webapp-core/src/main/java/org/nuxeo/ecm/webapp/security/SecurityActionsBean.java
+++ 
b/nuxeo-platform-webapp-core/src/main/java/org/nuxeo/ecm/webapp/security/SecurityActionsBean.java
@@ -23,6 +23,8 @@ import static org.jboss.seam.ScopeType.C

 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;

@@ -82,8 +84,10 @@ public class SecurityActionsBean extends
     // XXX temporary
     protected static final String ADMIN_GROUP = "administrators";

-    protected static final String[] PERMISSIONS_TO_CHECK = 
{SecurityConstants.WRITE_SECURITY, SecurityConstants.READ_SECURITY};
-
+    protected static final String[] SEED_PERMISSIONS_TO_CHECK = 
{SecurityConstants.WRITE_SECURITY, SecurityConstants.READ_SECURITY};
+
+    protected String[] CACHED_PERMISSION_TO_CHECK = null;
+
     private static final Log log = 
LogFactory.getLog(SecurityActionsBean.class);

     private static final Labeler labeler = new Labeler(
@@ -617,11 +621,27 @@ public class SecurityActionsBean extends
         }
         acp.setRules(modifiableEntries.toArray(new UserEntry[0]));

-        final boolean access = acp.getAccess(principals.toArray(new 
String[0]), PERMISSIONS_TO_CHECK).toBoolean();
+        final boolean access = acp.getAccess(principals.toArray(new 
String[0]), getPermissionsToCheck()).toBoolean();
         if (!access) {
             rebuildSecurityData();
         }
         return access;
     }

+    protected String[] getPermissionsToCheck() throws ClientException {
+        if (CACHED_PERMISSION_TO_CHECK == null) {
+            try {
+            List<String> aggregatedPerms = new LinkedList<String>();
+                for (String seedPerm : SEED_PERMISSIONS_TO_CHECK) {
+                    PermissionProvider pprovider = 
Framework.getService(PermissionProvider.class);
+                    
aggregatedPerms.addAll(Arrays.asList(pprovider.getPermissionGroups(seedPerm)));
+                }
+                CACHED_PERMISSION_TO_CHECK = aggregatedPerms.toArray(new 
String[aggregatedPerms.size()]);
+            } catch (Exception e) {
+                throw new ClientException(e);
+            }
+        }
+        return CACHED_PERMISSION_TO_CHECK;
+    }
+
 }


> user management screen complains if user does not have WriteSecurity directly
> -----------------------------------------------------------------------------
>
>                 Key: NXP-2264
>                 URL: http://jira.nuxeo.org/browse/NXP-2264
>             Project: Nuxeo Enterprise Platform 5
>          Issue Type: Bug
>          Components: Web Foundations
>    Affects Versions: 5.1.4
>            Reporter: Olivier Grisel
>            Assignee: Olivier Grisel
>             Fix For: 5.1.5
>
>   Original Estimate: 3 hours
>  Remaining Estimate: 3 hours
>
> If user has permission "LocalManager" that comprises WriteSecurity it cannot 
> remove permissions because SecurityActionsBean.checkPermissions() does not 
> resolve groups of permission.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to