[
https://issues.apache.org/jira/browse/MRM-1908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15476257#comment-15476257
]
ASF GitHub Bot commented on MRM-1908:
-------------------------------------
GitHub user effrafax opened a pull request:
https://github.com/apache/archiva-redback-core/pull/9
Adding parameter references in authorization resource
This is a patch that may be used to fix
https://issues.apache.org/jira/browse/MRM-1908
Certain rest methods in archiva have permission checks annotated but do not
take the repository id into account. This patch adds the possibility to set the
resource parameter of the authorization check dynamically from a request
parameter.
In certain cases the resource must be dynamically set by parameter values.
This patch allows to add a reference into the resource field of the redback
annotation '{parameterName}' that fills the resource of the permission
dynamically
with the parameter value, if found.
Please check, if this would be the right way to fix the issue. I tested it,
by changing the resource annotation in archiva: `FileUploadService#save`:
` @RedbackAuthorization( resource = "{repositoryId}", permissions =
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )`
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/effrafax/archiva-redback-core param_resource
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/archiva-redback-core/pull/9.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #9
----
commit 796af57be2dda6f5b4c5b27f57157ecc0a33aff1
Author: Martin Stockhammer <[email protected]>
Date: 2016-09-09T07:40:29Z
Adding parameter references in authorization resource
In certain cases the resource must be dynamically set by parameter values.
This patch allows to add a reference into the resource field of the redback
annotation '{parameterName}' that fills the resource of the permission
dynamically
with the parameter value, if found.
----
> Logged on users can write any repository
> ----------------------------------------
>
> Key: MRM-1908
> URL: https://issues.apache.org/jira/browse/MRM-1908
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 2.2.0
> Reporter: Krisztian Fekete
> Fix For: 2.2.2
>
> Attachments: MRM-1908.patch, archiva1.jpg, archiva2.jpg,
> archiva3.jpg, archiva4.jpg, archiva5.jpg, archiva6.jpg
>
>
> Our sandbox Archiva 2.2.0 instance is connected with our corporate LDAP
> service. I created a repository with name common-internal. My LDAP user
> feketk1 doesn't have any permission on the common-internal repository. When I
> login through the web UI with my feketk1 user, I am able to upload artefacts
> to the common-internal repository.
> For additional details please check attached screenshots.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
