[
https://issues.apache.org/jira/browse/SHIRO-902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Marwell resolved SHIRO-902.
------------------------------------
Fix Version/s: 2.0.0
Assignee: Benjamin Marwell
Resolution: Not A Problem
As shown in the new testcase in commit
[https://github.com/apache/shiro/commit/1973173049442bb5388cd11a44d9c77edd45422f],
this is not a bug. The manual clearly states that quoting is needed in such
cases.
> Separator conflict between PermissionUtils.resolveDelimitedPermissions() and
> WildcardPermission.SUBPART_DIVIDER_TOKEN
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-902
> URL: https://issues.apache.org/jira/browse/SHIRO-902
> Project: Shiro
> Issue Type: Bug
> Components: Authorization (access control)
> Affects Versions: 1.10.1
> Reporter: Eduard Wirch
> Assignee: Benjamin Marwell
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> PermissionUtils.resolveDelimitedPermissions() accepts multiple permissions,
> separated by comma. But comma is already reserved by
> WildcardPermission.SUBPART_DIVIDER_TOKEN.
>
> Example: "user:read,write:*"
> Expected:
> {{parts: [}}{{ ["user"],}}{{ ["read", "write"],}}{{{}
> ["*"]{}}}{{{}]{}}}{{{}Actual:{}}}
> {{WildcardPermission.parts: [}}{{ ["user"],}}{{{}
> ["read"]{}}}{{{}],{}}}{{{}WildcardPermission.parts: [{}}}{{ ["write"],}}{{{}
> ["*"]{}}}{{{}]{}}}{{{}{}}}
> JUnit test to trigger the bug:
> {{import static org.assertj.core.api.Assertions.assertThat;}}
> {{import org.apache.shiro.authz.permission.WildcardPermission;}}
> {{import org.apache.shiro.authz.permission.WildcardPermissionResolver;}}
> {{import org.apache.shiro.util.PermissionUtils;}}
> {{import org.junit.jupiter.api.Test;}}
> {{public class PermissionUtilsTest {}}
> {{ @Test}}
> {{ void verifyResolveDelimitedPermissionsRespectsSubPartDividerToken() {}}
> {{ var permissionResolver = new WildcardPermissionResolver(true);}}
> {{ var result =
> PermissionUtils.resolveDelimitedPermissions("user:read,write:*",
> permissionResolver);}}
> {{ assertThat(result)}}
> {{ .containsExactlyInAnyOrder(}}
> {{ new WildcardPermission("user:read,write:*")}}
> {{ );}}
> {{ }}}
> {{}}}
>
> I understand, that PermissionUtils actually cannot know about
> WildcardPermission.SUBPART_DIVIDER_TOKEN, because it is hidden behind the
> PermissionResolver abstraction. But WildcardPermissionResolver is the only
> resolver you provide. PermissionUtils should support using it.
> I also understand that the fix will be a breaking change, which should
> usually be avoided in public APIs. But also consider, that every new user
> using PermissionUtils will waste time debugging this bug, and then will avoid
> using resolveDelimitedPermissions(). What's the purpose of a stable but
> unused API?
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
