11.07.2001 04:23:10, "Remy Maucherat" <[EMAIL PROTECTED]> wrote:
>> howdy-
>>
>> can someone explain what the following piece of code is about, it's
>> used for example in StructureImpl.create(...) and
StructureImpl.store
>> (...)
>>
>> ...
>>
>> // Checking role
>> if (!securityHelper.hasRole(token, object.getClass().getName())) {
>> // Allow the namespace admin to create roles he doesn't have
>> Uri rootUri = namespace.getUri(token, "/");
>> ObjectNode rootObject = rootUri.getStore().retrieveObject
(rootUri);
>> securityHelper.checkCredentials
>> (token, rootObject,
>> namespaceConfig.getGrantPermissionAction());
>> }
>>
>> ...
>>
>> now, if a user in my namespace wants to create a LinkNode, this
fails
>> due to the code above... I don't quite understand why the subject
>> needs to have the role of the object it wants to create...
>
>Well, otherwise, anyone could create root principals as long as they
can
>write somewhere in the users path, and log as them (therefore gaining
root
>privileges).
>
>A LinkNode should only have role "nobody", so anyone should be able
to
>create one. Looking back at that code, it looks badly broken. It
should call
>security.getRoles(object), iterate in the returned enumeration and
check if
>the current principal has all the roles in the enumeration.
>
>Remy
okay, more like this then ?
// Checking roles
Enumeration roles = securityHelper.getRoles(object);
while (roles.hasMoreElements()) {
if (!securityHelper.hasRole(token, (String)roles.nextElement())) {
// Allow only the namespace admin to create roles he doesn't have
Uri rootUri = namespace.getUri(token, "/");
ObjectNode rootObject =
rootUri.getStore().retrieveObject(rootUri);
securityHelper.checkCredentials
(token, rootObject,
namespaceConfig.getGrantPermissionAction());
break;
}
}
that solves the LinkNode problem anyway, but I haven't checked much
else yet...
-chris
________________________________________________________________
[EMAIL PROTECTED]
