|
|
|
| The following comment has been added to this issue: |
[ Permlink ] |
|
Author: Florent Guillaume
Date: 23/02/07 15:59
Comment:
On the other hand, on a project here we're faced with the following use case: a customer needs to have finer-grained properties access than READ_PROPERTIES. So, for this project, we may have to subdivide READ_PROPERTIES into READ_BASIC_PROPERTIES and READ_BLOB_PROPERTIES. But we don't want to change all the code referring to READ_PROPERTIES to choose one or the other.
So in fact the semantics of hasPermission on groups is clear: if someGroup is perm1 + perm2, then
hasPermission(someGroup)
must be equivalent to
hasPermission(perm1) && hasPermission(perm2)
(same for checkPermission)
|
|
Currently the AbstractSession implementation check security on compund permissions such as READ and WRITE for which the semantics are undefined. Permissions checks should be done on atomic permissions such as BROWSE, READ_PROPERTIES, WRITE_PROPERTIES, ...
ptiyours% jf checkPermission |grep "WRITE)"
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:313: checkPermission(dstDoc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:345: checkPermission(dstDoc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:346: checkPermission(srcDoc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:914: checkPermission(doc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:932: checkPermission(doc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1062: checkPermission(doc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1077: checkPermission(doc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1094: checkPermission(doc, WRITE);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1513: checkPermission(doc, WRITE);
ptiyours% jf checkPermission |grep "READ)"
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:504: checkPermission(child, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:565: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:577: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:683: checkPermission(parentDoc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1125: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1142: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1228: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1244: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1261: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1288: checkPermission(doc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1471: // :: checkPermission(parentDoc, READ);
./org.nuxeo.ecm.core.repository/src/org/nuxeo/ecm/core/api/AbstractSession.java:1503: checkPermission(doc, READ);
Same remark holds for hasPermission instead of checkPermission.
|
|
|
|
