Re: bug? RollerAtomHandler permission check

[David M Johnson]

On closer inspection, I think the existing code is correct.
Authors are not allowed to do any blog configuration, change  
templates, etc.  So authors should not be able to change the website  
data object.

- Dave



On Feb 28, 2006, at 2:27 PM, Jeff Blattman wrote:

dave,

i've attached the patch file of what i think this should be. is  
there a roller bug / issue tracker system that i can attach this  
to? or can someone here make this change?

thanks.

David M Johnson wrote:
Yes, I think that is incorrect. All you should need is AUTHOR access.

- Dave


On Feb 27, 2006, at 6:10 PM, Jeff Blattman wrote:

we have a user with AUTHOR permissions on a weblog. to see if the  
user can access the weblog, RollerAtomHandler calls  
WebsiteData.canEdit(), passing in the user. this calls WD.canSave().

WD.canSave() calls hasUserPermissions(..., PermissionsData.ADMIN| 
PermissionsData.AUTHOR).

so, in hasUserPermissions(), mask == ADMIN|AUTHOR == 0x01|0x03 ==  
0001|0011 == 0011 == 0x03.

in hasUserPermissions(), we get to this block:

/            if (userPerms != null && (userPerms.getPermissionMask 
() & mask) == mask)
           {
               return true;
           }/

the user's permission mask is 0x01 == AUTHOR. so,  
userPerms.getPermissionMask() & mask == 0x01 & 0x03 == 0001 &  
0011 == 0001 == 0x01 != mask. so, the check fails and the user is  
not allowed to access the weblog.

this seems wrong, unless i am missing something. it seems like  
the check should be:

/            if (userPerms != null && (userPerms.getPermissionMask 
() & mask) == userPerms.getPermissionMask()) .../

the important thing we want to check is that the user's  
permission mask (bit) matches up with one of the bits in the  
mask. if it does, the & result will be the same as the user's  
permission mask.

it looks like the present code is instead checking is the user  
has ADMIN and AUTHOR permission for the weblog, which i do not  
think is correct ...

?

Index: org/roller/pojos/WebsiteData.java
===================================================================
--- org/roller/pojos/WebsiteData.java   (revision 373624)
+++ org/roller/pojos/WebsiteData.java   (working copy)
@@ -1011,7 +1011,8 @@
         // if we found one, does it satisfy the mask?
         if (userPerms != null && !userPerms.isPending())
         {
-            if (userPerms != null && (userPerms.getPermissionMask 
() & mask) == mask)
+            short userMask = userPerms.getPermissionMask();
+            if ((mask & userMask) == userMask)
             {
                 return true;
             }