[
http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87112
]
Jesse McConnell commented on CONTINUUM-1147:
--------------------------------------------
1) these are all utility functions that can simply go into the
ContinuumActionSupport class itself, no need to further subclass from there for
these functions I don't think
2) the isAuthorized* methods on the simply return false on a lot of the
exceptional conditions, I think they ought to just return a general exception
wrapping these exception. And then we could have a general xwork result for
these sorts of authorized behaviors that takes you to just one screen that can
print out some useful error messages, 'You are unauthorized to access this
context.', 'A exception occurred trying to determine if you can access this
context.' etc.
3) not sure about all of the private methods on the actions that are simply
wrapping up the getting of the project name from the projectId, I would
probably just put a prepare() on the action and make sure the projectName is
getting populated from the project id in the prepare, double check the xwork
interceptor stack to make sure the params are scraped before prepare and that
should be just fine, will save a lot of calls to the db to get the project name
over and over.
4) I know when I went through these actions before that the methods themselves
ought to be protected by different permissions, so I don't think the abstract
isAuthorized from the abstract parent is worth having, just wrap up the various
protections you have in the ContinuumActionSupport class and I think you'll be
in great shape.
I think this approach will bear fruit on making this whole thing a lot more
secure, we need to get a security mapping of operations to functionalities on
the continuum wiki at some point and this is natural material for that, nice
work
longer term I would like to see the action flow secured in a different manner
but short of a full refactor of the actions to accommodate that, this is good
> Even if a user doesn't show a group in the group summary (because he doesn't
> have roles), he can access to the project group page and all other sub pages
> if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-1147
> URL: http://jira.codehaus.org/browse/CONTINUUM-1147
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Reporter: Maria Odea Ching
> Assigned To: Emmanuel Venisse
> Attachments: CONTINUUM-1147-continuum-webapp.patch
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
