On Wed, Mar 18, 2015 at 12:10 PM, Niels Charlier <[email protected]> wrote:
> Hi,
>
> I have found the issue. The regression seems to be introduced in
> https://github.com/geoserver/geoserver/commit/c1750a1499fc059ecce153322eef8ff119684881
> by n-lagomarsini
>
> In DefaultResourceAccessManager method getSecurityFilter, where the layer
> security tree is converted to a filter, it will create a negative workspace
> filter whenever the root is accessible, even if the workspace is accessible
> as well. The method is quite confusing.
>
>
The method requires some understading of how the existing security
subsystem works... which is by always matching
the most specific item in the tree. Basically, you walk from the root to
the leaves, and use the access rule of the
most specific item you find in your walk.
When you have to turn that into a filter, at the workspace level you
basically have two options:
* You can access the workspace, but there might be overrides that disallow
access to certain layers to the current user
* You cannot access the workspace, but there might be overrides that allow
access to certain layers to the current user
However you also have to take into account what root access you had, so
it's really a 3 levels logic, and you're really
building a set of exceptions to your root level access.
> I suggest this fix:
> https://github.com/NielsCharlier/geoserver/commit/933f3c64c9fff980352eb89fc703f73e71f4398e
> That solves the problem and the code looks a bit more understandable.
>
I don't really understand how it makes it more readable, but a cursory look
suggest the patch is correct.
But if we want to make the code more readable, we should ad add the above
explanation to the comments instead.
Cheers
Andrea
--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
-------------------------------------------------------
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
