portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Created: (JS2-900) SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException
Date Tue, 02 Sep 2008 11:33:45 GMT
SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException
------------------------------------------------------------------------------------------------------

                 Key: JS2-900
                 URL: https://issues.apache.org/jira/browse/JS2-900
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Profiling/Portal Navigation
    Affects Versions: 2.1.3
            Reporter: Ate Douma
             Fix For: 2.2


SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path (element).
FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for which the current
user doesn't have access.

But this means there is no distinction possible between a not-existing page access and not-allowed
page access (e.g. 404 or 403).
The ProfilerValveImpl (invoking these) already can handle a thrown SecurityException and send
a SC_FORBIDDEN error (if configured to do so).
So, the intended behavior already is to support this.

We just need to fix SiteView.getNodeProxy a little like calling currentFolder.getAllNodes()
and perform a security check itself *if* the path was resolved.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message