Re: bug? RollerAtomHandler permission check

Tue, 28 Feb 2006 11:27:22 -0800 

dave,
i've attached the patch file of what i think this should be. is there a roller bug / issue tracker system that i can attach this to? or can someone here make this change? 

thanks.

David M Johnson wrote:

Yes, I think that is incorrect. All you should need is AUTHOR access.

- Dave


On Feb 27, 2006, at 6:10 PM, Jeff Blattman wrote:


we have a user with AUTHOR permissions on a weblog. to see if the 
user can access the weblog, RollerAtomHandler calls 
WebsiteData.canEdit(), passing in the user. this calls WD.canSave().



WD.canSave() calls hasUserPermissions(..., 
PermissionsData.ADMIN|PermissionsData.AUTHOR).



so, in hasUserPermissions(), mask == ADMIN|AUTHOR == 0x01|0x03 == 
0001|0011 == 0011 == 0x03.


in hasUserPermissions(), we get to this block:


/            if (userPerms != null && (userPerms.getPermissionMask() 
& mask) == mask)

           {
               return true;
           }/


the user's permission mask is 0x01 == AUTHOR. so, 
userPerms.getPermissionMask() & mask == 0x01 & 0x03 == 0001 & 0011 == 
0001 == 0x01 != mask. so, the check fails and the user is not allowed 
to access the weblog.



this seems wrong, unless i am missing something. it seems like the 
check should be:



/            if (userPerms != null && (userPerms.getPermissionMask() 
& mask) == userPerms.getPermissionMask()) .../



the important thing we want to check is that the user's permission 
mask (bit) matches up with one of the bits in the mask. if it does, 
the & result will be the same as the user's permission mask.



it looks like the present code is instead checking is the user has 
ADMIN and AUTHOR permission for the weblog, which i do not think is 
correct ...


?



Index: org/roller/pojos/WebsiteData.java
===================================================================
--- org/roller/pojos/WebsiteData.java	(revision 373624)
+++ org/roller/pojos/WebsiteData.java	(working copy)
@@ -1011,7 +1011,8 @@
         // if we found one, does it satisfy the mask?
         if (userPerms != null && !userPerms.isPending())
         {
-            if (userPerms != null && (userPerms.getPermissionMask() & mask) == mask) 
+            short userMask = userPerms.getPermissionMask();
+            if ((mask & userMask) == userMask) 
             {
                 return true;
             }






















					Reply via email to