portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r708276 - in /portals/jetspeed-2/portal/branches: JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/ JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspe...
Date Mon, 27 Oct 2008 19:06:02 GMT
Author: taylor
Date: Mon Oct 27 12:05:40 2008
New Revision: 708276

URL: http://svn.apache.org/viewvc?rev=708276&view=rev
Log:
https://issues.apache.org/jira/browse/JS2-903
When writing out fragments where the user has write access to the page, but does not have
write access to specific fragments, the fragments are stripped
This fix allows still secures users to only writing to pages where they have access. However,
if a fragment is not accessible, its skipped over
NOTE: the DB Page Manager had different behavior on this issue, and required no changes

Modified:
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
    portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java?rev=708276&r1=708275&r2=708276&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
(original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.3-POSTRELEASE/components/page-manager/src/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
Mon Oct 27 12:05:40 2008
@@ -32,6 +32,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.jetspeed.JetspeedActions;
 import org.apache.jetspeed.cache.file.FileCache;
 import org.apache.jetspeed.cache.file.FileCacheEntry;
 import org.apache.jetspeed.cache.file.FileCacheEventListener;
@@ -195,27 +196,41 @@
         }
         AbstractBaseElement documentImpl = (AbstractBaseElement)document;
         documentImpl.setHandlerFactory(handlerFactory);
-        if (systemUpdate){
-        	// on system update: temporarily turn off security
-            documentImpl.setPermissionsEnabled(false);
-            documentImpl.setConstraintsEnabled(false);
-        } else {
-            documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
-            documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
-        }
-        documentImpl.marshalling();
-        
-        // marshal page to disk
-        String fileName = path;        
-        if (!fileName.endsWith(this.documentType))
-        {
-            fileName = path + this.documentType;
-        }
-        File f = new File(this.documentRootDir, fileName);
-        Writer writer = null;
-
+        String absolutePath = "";
+        Writer writer = null;        
         try
         {
+            // JS2-903: move try up to ensure no backdoors to disabling security
+            if (systemUpdate)
+            {
+            	// on system update: temporarily turn off security
+                documentImpl.setPermissionsEnabled(false);
+                documentImpl.setConstraintsEnabled(false);
+            } 
+            else 
+            {
+                try
+                {
+                    // JS2-903: fragments are getting stripped out on write if the current
user does not have edit access to write to the file
+                    document.checkAccess(JetspeedActions.EDIT);
+                }
+                catch (SecurityException se)
+                {
+                    throw new FailedToUpdateDocumentException("Insufficient Access: no edit
access, cannot write.");
+                }
+                documentImpl.setPermissionsEnabled(false);
+                documentImpl.setConstraintsEnabled(false);            
+            }
+            documentImpl.marshalling();
+            
+            // marshal page to disk
+            String fileName = path;        
+            if (!fileName.endsWith(this.documentType))
+            {
+                fileName = path + this.documentType;
+            }
+            File f = new File(this.documentRootDir, fileName);
+            absolutePath = f.getAbsolutePath();
             // marshal: use SAX II handler to filter document XML for
             // page and folder menu definition menu elements ordered
             // polymorphic collection to strip artifical <menu-element>
@@ -303,34 +318,33 @@
         }
         catch (MarshalException e)
         {
-            log.error("Could not marshal the file " + f.getAbsolutePath(), e);
+            log.error("Could not marshal the file " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (ValidationException e)
         {
-            log.error("Document " + f.getAbsolutePath() + " is not valid", e);
+            log.error("Document " + absolutePath + " is not valid", e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (IOException e)
         {
-            log.error("Could not save the file " + f.getAbsolutePath(), e);
+            log.error("Could not save the file " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (Exception e)
         {
-            log.error("Error while saving  " + f.getAbsolutePath(), e);
+            log.error("Error while saving  " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         finally
         {
-            if (systemUpdate){
-            	// restore permissions / constraints
-            	documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
-                documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
-            }
+        	// restore permissions / constraints
+        	documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
+            documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
         	try
             {
-                writer.close();
+        	    if (writer != null)
+        	        writer.close();
             }
             catch (IOException e)
             {

Modified: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java?rev=708276&r1=708275&r2=708276&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
(original)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/page/document/psml/CastorFileSystemDocumentHandler.java
Mon Oct 27 12:05:40 2008
@@ -32,6 +32,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.jetspeed.JetspeedActions;
 import org.apache.jetspeed.cache.file.FileCache;
 import org.apache.jetspeed.cache.file.FileCacheEntry;
 import org.apache.jetspeed.cache.file.FileCacheEventListener;
@@ -194,27 +195,40 @@
         }
         AbstractBaseElement documentImpl = (AbstractBaseElement)document;
         documentImpl.setHandlerFactory(handlerFactory);
-        if (systemUpdate){
-        	// on system update: temporarily turn off security
-            documentImpl.setPermissionsEnabled(false);
-            documentImpl.setConstraintsEnabled(false);
-        } else {
-            documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
-            documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
-        }
-        documentImpl.marshalling();
-        
-        // marshal page to disk
-        String fileName = path;        
-        if (!fileName.endsWith(this.documentType))
-        {
-            fileName = path + this.documentType;
-        }
-        File f = new File(this.documentRootDir, fileName);
-        Writer writer = null;
-
+        String absolutePath = "";
+        Writer writer = null;        
         try
         {
+            // JS2-903: move try up to ensure no backdoors to disabling security        
+            if (systemUpdate)
+            {
+            	// on system update: temporarily turn off security
+                documentImpl.setPermissionsEnabled(false);
+                documentImpl.setConstraintsEnabled(false);
+            } 
+            else 
+            {
+                try
+                {
+                    // JS2-903: fragments are getting stripped out on write if the current
user does not have edit access to write to the file
+                    document.checkAccess(JetspeedActions.EDIT);
+                }
+                catch (SecurityException se)
+                {
+                    throw new FailedToUpdateDocumentException("Insufficient Access: no edit
access, cannot write.");
+                }
+                documentImpl.setPermissionsEnabled(false);
+                documentImpl.setConstraintsEnabled(false);            
+            }
+            documentImpl.marshalling();            
+            // marshal page to disk
+            String fileName = path;        
+            if (!fileName.endsWith(this.documentType))
+            {
+                fileName = path + this.documentType;
+            }
+            File f = new File(this.documentRootDir, fileName);
+            absolutePath = f.getAbsolutePath();            
             // marshal: use SAX II handler to filter document XML for
             // page and folder menu definition menu elements ordered
             // polymorphic collection to strip artifical <menu-element>
@@ -302,34 +316,33 @@
         }
         catch (MarshalException e)
         {
-            log.error("Could not marshal the file " + f.getAbsolutePath(), e);
+            log.error("Could not marshal the file " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (ValidationException e)
         {
-            log.error("Document " + f.getAbsolutePath() + " is not valid", e);
+            log.error("Document " + absolutePath + " is not valid", e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (IOException e)
         {
-            log.error("Could not save the file " + f.getAbsolutePath(), e);
+            log.error("Could not save the file " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         catch (Exception e)
         {
-            log.error("Error while saving  " + f.getAbsolutePath(), e);
+            log.error("Error while saving  " + absolutePath, e);
             throw new FailedToUpdateDocumentException(e);
         }
         finally
         {
-            if (systemUpdate){
-            	// restore permissions / constraints
-            	documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
-                documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
-            }
+        	// restore permissions / constraints
+        	documentImpl.setPermissionsEnabled(handlerFactory.getPermissionsEnabled());
+            documentImpl.setConstraintsEnabled(handlerFactory.getConstraintsEnabled());
         	try
             {
-                writer.close();
+        	    if (writer != null)
+        	        writer.close();
             }
             catch (IOException e)
             {



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message