Arjan Lamers wrote:
> We had a problem with news items showing up for some users who were not
> allowed to see them. I found the following code in cloudcontext's
> Contexts.java:
>
> public Authorization.QueryCheck check(User userContext, Query query,
> Operation operation) {
> [...]
> if (steps.size() * ac.contexts.size() < maxContextsInQuery) {
> [... add contexts constraint to query...]
> } else { // query would grow too large
> return Authorization.NO_CHECK;
> }
> }
>
> To me it seems the else part is horribly wrong: if for some reason
> security could not be enforced, it is wiser to disallow all instead of
> allowing all. This is more like a programmed buffer overflow ;)
> Furthermore, the else should have at least logged a huge warning that
> security would be disabled.
>
> To solve our problem I only had to increase the maxcontextsinquery in
> cloudcontext.xml, but to find it took some more time...
NO_CHECK should not mean that authorization is disabled, but that it is not
checked already, and that it should be checked afterwards, node-by-node.
There was indeed a issue that this node-by-node checking did not work, well,
which was fixed a few weeks ago. So, I suppose this message can be
considered a duplicate of that bug.
Michiel
--
Michiel Meeuwissen mihxil'
Mediacentrum 140 H'sum [] ()
+31 (0)35 6772979 nl_NL eo_XX en_US
