[jira] [Created] (SHIRO-902) Separator conflict between PermissionUtils.resolveDelimitedPermissions() and WildcardPermission.SUBPART_DIVIDER_TOKEN

[Eduard Wirch (Jira)]

Eduard Wirch created SHIRO-902:
----------------------------------

             Summary: Separator conflict between 
PermissionUtils.resolveDelimitedPermissions() and 
WildcardPermission.SUBPART_DIVIDER_TOKEN
                 Key: SHIRO-902
                 URL: https://issues.apache.org/jira/browse/SHIRO-902
             Project: Shiro
          Issue Type: Bug
          Components: Authorization (access control) 
    Affects Versions: 1.10.1
            Reporter: Eduard Wirch


PermissionUtils.resolveDelimitedPermissions() accepts multiple permissions, 
separated by comma. But comma is already reserved by 
WildcardPermission.SUBPART_DIVIDER_TOKEN.

 

Example: "user:read,write:*"

Expected:

{{parts: [}}{{  ["user"],}}{{  ["read", "write"],}}{{{}  
["*"]{}}}{{{}]{}}}{{{}Actual:{}}}

{{WildcardPermission.parts: [}}{{  ["user"],}}{{{}  
["read"]{}}}{{{}],{}}}{{{}WildcardPermission.parts: [{}}}{{  ["write"],}}{{{}  
["*"]{}}}{{{}]{}}}{{{}{}}}

JUnit test to trigger the bug:

{{import static org.assertj.core.api.Assertions.assertThat;}}

{{import org.apache.shiro.authz.permission.WildcardPermission;}}
{{import org.apache.shiro.authz.permission.WildcardPermissionResolver;}}
{{import org.apache.shiro.util.PermissionUtils;}}
{{import org.junit.jupiter.api.Test;}}

{{public class PermissionUtilsTest {}}
{{    @Test}}
{{    void verifyResolveDelimitedPermissionsRespectsSubPartDividerToken() {}}
{{        var permissionResolver = new WildcardPermissionResolver(true);}}
{{        var result = 
PermissionUtils.resolveDelimitedPermissions("user:read,write:*", 
permissionResolver);}}
{{        assertThat(result)}}
{{            .containsExactlyInAnyOrder(}}
{{                new WildcardPermission("user:read,write:*")}}
{{            );}}
{{    }}}
{{}}}

 

I understand, that PermissionUtils actually cannot know about 
WildcardPermission.SUBPART_DIVIDER_TOKEN, because it is hidden behind the 
PermissionResolver abstraction. But WildcardPermissionResolver is the only 
resolver you provide. PermissionUtils should support using it.

I also understand that the fix will be a breaking change, which should usually 
be avoided in public APIs. But also consider, that every new user using 
PermissionUtils will waste time debugging this bug, and then will avoid using 
resolveDelimitedPermissions(). What's the purpose of a stable but unused API?

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org
For additional commands, e-mail: issues-h...@shiro.apache.org