[
https://issues.apache.org/jira/browse/SHIRO-902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17676763#comment-17676763
]
Benjamin Marwell commented on SHIRO-902:
----------------------------------------
[~ewirch] as a workaround, you could just pass a List of one element into
{{resolvePermission().}}
I see your point (and I agree), but I am not sure if we want to solve it THAT
way. Maybe just not providing the methohd {{resolveDelimitedPermissions}} does
not make any sense.
> Separator conflict between PermissionUtils.resolveDelimitedPermissions() and
> WildcardPermission.SUBPART_DIVIDER_TOKEN
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-902
> URL: https://issues.apache.org/jira/browse/SHIRO-902
> Project: Shiro
> Issue Type: Bug
> Components: Authorization (access control)
> Affects Versions: 1.10.1
> Reporter: Eduard Wirch
> Priority: Major
>
> PermissionUtils.resolveDelimitedPermissions() accepts multiple permissions,
> separated by comma. But comma is already reserved by
> WildcardPermission.SUBPART_DIVIDER_TOKEN.
>
> Example: "user:read,write:*"
> Expected:
> {{parts: [}}{{ ["user"],}}{{ ["read", "write"],}}{{{}
> ["*"]{}}}{{{}]{}}}{{{}Actual:{}}}
> {{WildcardPermission.parts: [}}{{ ["user"],}}{{{}
> ["read"]{}}}{{{}],{}}}{{{}WildcardPermission.parts: [{}}}{{ ["write"],}}{{{}
> ["*"]{}}}{{{}]{}}}{{{}{}}}
> JUnit test to trigger the bug:
> {{import static org.assertj.core.api.Assertions.assertThat;}}
> {{import org.apache.shiro.authz.permission.WildcardPermission;}}
> {{import org.apache.shiro.authz.permission.WildcardPermissionResolver;}}
> {{import org.apache.shiro.util.PermissionUtils;}}
> {{import org.junit.jupiter.api.Test;}}
> {{public class PermissionUtilsTest {}}
> {{ @Test}}
> {{ void verifyResolveDelimitedPermissionsRespectsSubPartDividerToken() {}}
> {{ var permissionResolver = new WildcardPermissionResolver(true);}}
> {{ var result =
> PermissionUtils.resolveDelimitedPermissions("user:read,write:*",
> permissionResolver);}}
> {{ assertThat(result)}}
> {{ .containsExactlyInAnyOrder(}}
> {{ new WildcardPermission("user:read,write:*")}}
> {{ );}}
> {{ }}}
> {{}}}
>
> I understand, that PermissionUtils actually cannot know about
> WildcardPermission.SUBPART_DIVIDER_TOKEN, because it is hidden behind the
> PermissionResolver abstraction. But WildcardPermissionResolver is the only
> resolver you provide. PermissionUtils should support using it.
> I also understand that the fix will be a breaking change, which should
> usually be avoided in public APIs. But also consider, that every new user
> using PermissionUtils will waste time debugging this bug, and then will avoid
> using resolveDelimitedPermissions(). What's the purpose of a stable but
> unused API?
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
