chrisknoll opened a new issue, #1301: URL: https://github.com/apache/shiro/issues/1301
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no similar issues. ### Environment This is a web application, using Shiro, Looking at WildCardPermission.implies() to understand permission logic ### Shiro version 1.13.0 ### What was the actual outcome? Looking at the logic of the code, The following seems to return false, when it should return true: ``` new WildCardPermission("printer:query,print:lp7200").implies("printer:query:lp7200") ``` The understanding is that the permission assigned to the user is `printer:query,print:lp7200`, and the call to `Subjet.isPermitted("printer:query:lp7200")` is called when checking query permission the printer. What this would mean is that the user can query or print to the printer, and this specific action is just checking for the query permission. However, according to [this code](https://github.com/apache/shiro/blob/fa518ec985fd192497cd04e2569041b2f469aead/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java#L211C1-L223C14): ``` if (!part.contains(WILDCARD_TOKEN) && !part.containsAll(otherPart)) { return false; } ``` This seems to be saying if the part (the user's assigned permission) doesn't contain a * AND it doesn't contain _*ALL*_ of the parts specified in the requested permission check (the other part), it should fail. The question is: Why does it require all parts of the granted permission to be found in the checked permission? If the grant says you can print and query (`print,query`), shouldn't the imply say that the checked permission needs to have all the parts of the granted (in this case: `query,print` matches all parts of `query`. ### What was the expected outcome? ``` new WildCardPermission("printer:query,print:lp7200").implies("printer:query:lp7200") ``` Should return true. The Permission to print or query should pass the check when we check if you can query. ### How to reproduce ``` Assert(new WildCardPermission("printer:query,print:lp7200").implies("printer:query:lp7200"), true) ``` ### Debug logs _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
