cmlenz 02/02/24 15:09:18
Modified: src/share/org/apache/slide/security Tag: SLIDE_1_0
SecurityImpl.java
Log:
Porting bugfixes/enhancements from the HEAD branch
- Committed by msmith, 02/01/30 21:36:11
"If we have an object /files/a, and an object /files/ab, and a user has
inheritable permission(s) on /files/a, then they were able to also use
those permission(s) on /files/ab, due to a bug in the checking.
Rather than allowing anything starting with /files/a, we allow only
/files/a and anything starting with /files/a/ (the latter case being
correctly allowed by the inheritable flag)."
- Committed by msmith, 02/02/05 18:35:34
"Bugfix to previous security fix - type made group permissions more or
less completely broken."
Revision Changes Path
No revision
No revision
1.27.2.1 +40 -32
jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java
Index: SecurityImpl.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v
retrieving revision 1.27
retrieving revision 1.27.2.1
diff -u -r1.27 -r1.27.2.1
--- SecurityImpl.java 12 Sep 2001 13:50:32 -0000 1.27
+++ SecurityImpl.java 24 Feb 2002 23:09:18 -0000 1.27.2.1
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v 1.27
2001/09/12 13:50:32 juergen Exp $
- * $Revision: 1.27 $
- * $Date: 2001/09/12 13:50:32 $
+ * $Header:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v
1.27.2.1 2002/02/24 23:09:18 cmlenz Exp $
+ * $Revision: 1.27.2.1 $
+ * $Date: 2002/02/24 23:09:18 $
*
* ====================================================================
*
@@ -77,7 +77,7 @@
* Security helper.
*
* @author <a href="mailto:[EMAIL PROTECTED]";>Remy Maucherat</a>
- * @version $Revision: 1.27 $
+ * @version $Revision: 1.27.2.1 $
*/
public final class SecurityImpl implements Security {
@@ -436,7 +436,7 @@
Uri subjectUri = namespace.getUri(subject.getUri());
Uri actionUri = namespace.getUri(action.getUri());
-
+
while (!granted && !denied && !rootObjectReached) {
Uri courUri = namespace.getUri(courObject.getUri());
@@ -455,12 +455,14 @@
if (permissionSubject.equals("~")) {
boolean check;
+ check = object.getUri().equals(subjectUri.toString());
if (permission.isInheritable()) {
- check =
- object.getUri().startsWith(subjectUri.toString());
- } else {
- check = object.getUri().equals(subjectUri.toString());
- }
+ String subjectUriString = subjectUri.toString();
+ if(!subjectUriString.endsWith("/"))
+ subjectUriString = subjectUriString + "/";
+
+ check |= object.getUri().startsWith(subjectUriString);
+ }
// Self permission
granted = (!permission.isNegative())
@@ -478,16 +480,18 @@
if (permissionSubject.startsWith("/")) {
// Node permission
- granted = (!permission.isNegative())
- && (subjectUri.toString()
- .startsWith(permission.getSubjectUri()))
- && (actionUri.toString()
- .startsWith(permission.getActionUri()));
- denied = (permission.isNegative())
- && (subjectUri.toString()
- .startsWith(permission.getSubjectUri()))
- && (actionUri.toString()
- .startsWith(permission.getActionUri()));
+
+ String permSubj = permission.getSubjectUri();
+ if(!permSubj.endsWith("/"))
+ permSubj = permSubj + "/";
+ boolean match = subjectUri.toString().
+ equals(permission.getSubjectUri()) ||
+ subjectUri.toString().startsWith(permSubj);
+ match &= actionUri.toString().
+ startsWith(permission.getActionUri());
+
+ granted = (!permission.isNegative()) && match;
+ denied = permission.isNegative() && match;
} else if (permissionSubject.startsWith("+")) {
@@ -522,19 +526,23 @@
((LinkNode) childNode)
.getLinkedUri() :
childNode.getUri() ;
+
+ String testUri;
+ if(!childSubjectUri.endsWith("/"))
+ testUri = childSubjectUri+"/";
+ else
+ testUri = childSubjectUri;
+
+ boolean match = subjectUri.toString().
+ equals(childSubjectUri) ||
+ subjectUri.toString().
+ startsWith(testUri);
+ match &= actionUri.toString().
+ startsWith(permission.getActionUri());
- granted = (!permission.isNegative())
- && (subjectUri.toString()
- .startsWith(childSubjectUri))
- && (actionUri.toString()
- .startsWith
- (permission.getActionUri()));
- denied = (permission.isNegative())
- && (subjectUri.toString()
- .startsWith(childSubjectUri))
- && (actionUri.toString()
- .startsWith
- (permission.getActionUri()));
+ granted = (!permission.isNegative()) &&
+ match;
+ denied = permission.isNegative() && match;
granted = granted | oldGranted;
denied = denied | oldDenied;
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
