portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "tingup" <tin...@gmail.com>
Subject Permission config bug in browser
Date Sat, 10 Jul 2010 14:19:03 GMT
I find some bug with permission editing.

1.    public void updatePermission(PersistentJetspeedPermission permission) throws SecurityException
        Criteria criteria = new Criteria();
        if (permission.getId() == null)
//if we do not have id property, and the type or name has been changed to an existed permissin.
the wrong row in db will be edit.
// db row1: page(type), name1(name), view,edit(action)
// db row2: page(type), name2(name), view,edit,help(action)
// I change row 1 which was showed in browser, change the name to "name2", action to "view",
click save.
// row2 will chaged to db row2: page(type), name2(name), view(action), and row1 not been changed.
//            criteria.addEqualTo("type", permission.getType());
//            criteria.addEqualTo("name", permission.getName());
             throw new SecurityException(SecurityException.PERMISSION_DOES_NOT_EXIST.create("update
failed, permission.id is null."));
            criteria.addEqualTo("id", permission.getId());
        Query query = QueryFactory.newQuery(PersistentJetspeedPermissionImpl.class, criteria);
        PersistentJetspeedPermission current = (PersistentJetspeedPermission)getPersistenceBrokerTemplate().getObjectByQuery(query);
        if (current == null)
            throw new SecurityException(SecurityException.PERMISSION_DOES_NOT_EXIST.create(permission.getName()+"
        if (!current.getActions().equals(permission.getActions()))
            catch (Exception pbe)
                KeyedMessage msg = SecurityException.UNEXPECTED.create("JetspeedSecurityPersistenceManager",
                logger.error(msg, pbe);
                throw new SecurityException(msg, pbe);

2 public List<JetspeedPrincipal> getPrincipals(PersistentJetspeedPermission permission,
String principalType) ,
        Criteria criteria = new Criteria();
        if (permission.getId() != null)
            criteria.addEqualTo("permissions.permissionId", permission.getId());
            criteria.addEqualTo("permissions.permission.type", permission.getType());
            criteria.addEqualTo("permissions.permission.name", permission.getName());
// i add one more condition:
            criteria.addEqualTo("permissions.permission.actions", permission.getActions());
        if (principalType != null)
            criteria.addEqualTo("type", principalType);
        criteria.addEqualTo("domainId", getDefaultSecurityDomainId());
        QueryByCriteria query = QueryFactory.newQuery(PersistentJetspeedPrincipal.class, criteria);
        return (List<JetspeedPrincipal>) getPersistenceBrokerTemplate().execute(new
same to 
public void removePermission(PersistentJetspeedPermission permission) throws SecurityException
public void grantPermission(PersistentJetspeedPermission permission, JetspeedPrincipal principal)
throws SecurityException
public void grantPermissionOnlyTo (PersistentJetspeedPermission permission, String principalType,
List<JetspeedPrincipal> principals) throws SecurityException
public void revokePermission(PersistentJetspeedPermission permission, JetspeedPrincipal principal)
throws SecurityException 

one more bug, if i edit the permission condition, it will not effect the user who already
logined the system. 
that because org.apache.jetspeed.security.impl.PermissionManagerImpl used ThreadLocal<HashMap<Long,Permissions>>
permissionsCache .
I sugest to use JetspeedSecurityPersistenceManagerCache  implements org.apache.ojb.broker.cache.ObjectCache.
then we can clear the cache after permission config changed.

i have done the change, and don't know if it can be accepted.

org.apache.jetspeed.decoration.PageActionAccess has the same bug
    public void checkReset(boolean anonymous, ContentPage page) {
        // if (this.anonymous != anonymous)
        // {
        // this.anonymous = anonymous;
        // this.editAllowed = checkEditPage(page);
        // this.fragmentActionAccess.clear();
        // this.editing = false;
        // }
        // use this code instead, the permission config can been effect immediately 
        if (this.anonymous != anonymous) {
            this.anonymous = anonymous;
            this.editing = false;
        this.editAllowed = checkEditPage(page);


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message