ACL does not check queuename (or routingkey) on bind ----------------------------------------------------
Key: QPID-2063 URL: https://issues.apache.org/jira/browse/QPID-2063 Project: Qpid Issue Type: Bug Components: C++ Broker Affects Versions: 0.5 Reporter: Tim Platten ACL allows binding to a queue to which access should be denied. e.g. ACL: acl deny tes...@qpid all queue name=baz acl allow tes...@qpid bind exchange name=foo queuename=bar routingkey=foo.bar The following command succeed and it shouldn't qpid-config -a baclo/ba...@localhost bind foo baz foo.bar I believe this is because SessionAdapter::ExchangeHandlerImpl::bind is not checking either queueName or routingKey. I.e. AclModule* acl = getBroker().getAcl(); if (acl) { if (!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,routingKey) ) should read: AclModule* acl = getBroker().getAcl(); if (acl) { std::map<acl::Property, std::string> params; params.insert(make_pair(acl::PROP_QUEUENAME, queueName)); params.insert(make_pair(acl::PROP_ROUTINGKEY, routingKey)); if (!acl->authorise(getConnection().getUserId(),acl::ACT_BIND,acl::OBJ_EXCHANGE,exchangeName,¶ms) ) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org