portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randy Watler (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-900) SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException
Date Wed, 06 May 2009 00:14:30 GMT

     [ https://issues.apache.org/jira/browse/JS2-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Randy Watler resolved JS2-900.
------------------------------

    Resolution: Fixed

Resolved with the following commits: 772016, 772017.

Also requires configuration of profiler valve in pipelines.xml to enable 403/404 returns and
disable default page folder fallback:

  <bean id="profilerValve" class="org.apache.jetspeed.profiler.impl.ProfilerValveImpl"
init-method="initialize">
    ...
    <!--
      request fallback to root folder/page enabled by default;
      if set to false, requests generate HTTP 403/404 errors
      for access errors or missing pages
    -->
    <constructor-arg index="2">
      <value>false</value>
    </constructor-arg>
    ...
  </bean>



> SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException
> ------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-900
>                 URL: https://issues.apache.org/jira/browse/JS2-900
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Profiling/Portal Navigation
>    Affects Versions: 2.1.3
>            Reporter: Ate Douma
>            Assignee: Randy Watler
>            Priority: Critical
>             Fix For: 2.2.0
>
>   Original Estimate: 4h
>  Remaining Estimate: 4h
>
> SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path (element).
> FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for which the
current user doesn't have access.
> But this means there is no distinction possible between a not-existing page access and
not-allowed page access (e.g. 404 or 403).
> The ProfilerValveImpl (invoking these) already can handle a thrown SecurityException
and send a SC_FORBIDDEN error (if configured to do so).
> So, the intended behavior already is to support this.
> We just need to fix SiteView.getNodeProxy a little like calling currentFolder.getAllNodes()
and perform a security check itself *if* the path was resolved.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message