Hi all,
We had a problem with news items showing up for some users who were not allowed to see them. I found the following code in cloudcontext's Contexts.java:
public Authorization.QueryCheck check(User userContext, Query query, Operation operation) {
[...]
if (steps.size() * ac.contexts.size() < maxContextsInQuery) {
[... add contexts constraint to query...]
} else { // query would grow too large
return Authorization.NO_CHECK;
}
}
To me it seems the else part is horribly wrong: if for some reason security could not be enforced, it is wiser to disallow all instead of allowing all. This is more like a programmed buffer overflow ;)
Furthermore, the else should have at least logged a huge warning that security would be disabled.
To solve our problem I only had to increase the maxcontextsinquery in cloudcontext.xml, but to find it took some more time...
-- Met vriendelijke groet, Arjan Lamers
-----------------------------------------------------------------
First8 BV Notice: The only person getting his work done
Groenestraat 294 by Friday was Robinson Crusoe
6531 JC Nijmegen [EMAIL PROTECTED]
