Yes, I think that is incorrect. All you should need is AUTHOR access.
- Dave
On Feb 27, 2006, at 6:10 PM, Jeff Blattman wrote:
we have a user with AUTHOR permissions on a weblog. to see if the
user can access the weblog, RollerAtomHandler calls
WebsiteData.canEdit(), passing in the user. this calls WD.canSave().
WD.canSave() calls hasUserPermissions(..., PermissionsData.ADMIN|
PermissionsData.AUTHOR).
so, in hasUserPermissions(), mask == ADMIN|AUTHOR == 0x01|0x03 ==
0001|0011 == 0011 == 0x03.
in hasUserPermissions(), we get to this block:
/ if (userPerms != null && (userPerms.getPermissionMask
() & mask) == mask)
{
return true;
}/
the user's permission mask is 0x01 == AUTHOR. so,
userPerms.getPermissionMask() & mask == 0x01 & 0x03 == 0001 & 0011
== 0001 == 0x01 != mask. so, the check fails and the user is not
allowed to access the weblog.
this seems wrong, unless i am missing something. it seems like the
check should be:
/ if (userPerms != null && (userPerms.getPermissionMask
() & mask) == userPerms.getPermissionMask()) .../
the important thing we want to check is that the user's permission
mask (bit) matches up with one of the bits in the mask. if it does,
the & result will be the same as the user's permission mask.
it looks like the present code is instead checking is the user has
ADMIN and AUTHOR permission for the weblog, which i do not think is
correct ...
?
