DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35582>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35582 Summary: Enhancement: permissions Product: Slide Version: Nightly Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Security AssignedTo: slide-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Now you are not able to load such set of permissions: /files /users/donald /actions/read local non-negative /files /users/donald /actions/read inherited negative /files/A /users/donald /actions/read inherited non-negative Above example would give access for directory A to user Donald. At the same time he could not enter other subdirectories of 'files' directory. I think it is the only way to get such result because you need to have read access on parent directory. Current configuration assumes that triple (object, subject, action) is primary key for 'permissions' table so you cannot load above permission set (non-unique primary key). I extended primary key to contain 'inheritable' and 'negative' attributes. I modyfied 'revokePermission' method to take this change into account and I changed database scripts respectively. Tomek --- src/share/org/apache/slide/security/Security.java 30 Oct 2004 17:10:47 -0000 1.29 +++ src/share/org/apache/slide/security/Security.java 1 Jul 2005 12:36:38 -0000 @@ -241,13 +241,16 @@ * @param object Object on which permission is revoked * @param subject Subject who can perform the action * @param action Action which can be performed + * @param isNegative is permission negative + * @param isInheritable is permission inheritable * @exception ServiceAccessException DataSource access error * @exception ObjectNotFoundException Specified object was not found * in the DataSource * @exception AccessDeniedException Insufficent credentials * void revokePermission(SlideToken token, ObjectNode object, - SubjectNode subject, ActionNode action) + SubjectNode subject, ActionNode action, + boolean isNegative, boolean isInheritable) throws ServiceAccessException, ObjectNotFoundException, AccessDeniedException, VetoException; --- src/share/org/apache/slide/security/SecurityImpl.java 21 Dec 2004 16:12:44 -0000 1.62 +++ src/share/org/apache/slide/security/SecurityImpl.java 1 Jul 2005 12:38:09 -0000 @@ -328,20 +328,23 @@ * @param object Object on which permission is revoked * @param subject Subject who can perform the action * @param action Action which can be performed + * @param isNegative is permission negative + * @param isInheritable is permission inheritable * @exception ServiceAccessException DataSource access error * @exception ObjectNotFoundException Specified object was not found * in the DataSource * @exception AccessDeniedException Insufficent credentials */ public void revokePermission(SlideToken token, ObjectNode object, - SubjectNode subject, ActionNode action) + SubjectNode subject, ActionNode action, + boolean isNegative, boolean isInheritable) throws ServiceAccessException, ObjectNotFoundException, AccessDeniedException, VetoException { //Domain.info("Revoke permission on " + object.getUri()); checkCredentials(token, object, namespaceConfig .getRevokePermissionAction()); NodePermission permission = new NodePermission(object, subject, - action); + action, isNegative, isInheritable); Uri objectUri = namespace.getUri(token, object.getUri()); objectUri.getStore() .revokePermission(objectUri, permission); --- src/stores/org/apache/slide/store/impl/rdbms/CommonRDBMSAdapter.java 19 May 2005 13:01:32 -0000 1.13 +++ src/stores/org/apache/slide/store/impl/rdbms/CommonRDBMSAdapter.java 1 Jul 2005 12:39:50 -0000 @@ -227,8 +227,8 @@ public void revokePermission(Connection connection, Uri uri, NodePermission permission) throws ServiceAccessException { if (permission == null) return; - StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID) IN" + - " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); + StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID, IS_INHERITABLE, IS_NEGATIVE) IN" + + " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID, ?, ? FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); PreparedStatement statement = null; try { final NodeRevisionNumber revisionNumber; @@ -240,11 +240,13 @@ sql.append(" and VERSION_NO IS NULL"); } statement = connection.prepareStatement(sql.toString()); - statement.setString(1, uri.toString()); - statement.setString(2, permission.getSubjectUri()); - statement.setString(3, permission.getActionUri()); + statement.setInt(1, (permission.isInheritable() ? 1 : 0)); + statement.setInt(2, (permission.isNegative() ? 1 : 0)); + statement.setString(3, uri.toString()); + statement.setString(4, permission.getSubjectUri()); + statement.setString(5, permission.getActionUri()); if (revisionNumber != null) { - statement.setString(4, revisionNumber.toString()); + statement.setString(6, revisionNumber.toString()); } statement.executeUpdate(); } catch (SQLException e) { --- src/stores/org/apache/slide/store/impl/rdbms/PostgresRDBMSAdapter.java 13 Jun 2005 12:35:07 -0000 1.20 +++ src/stores/org/apache/slide/store/impl/rdbms/PostgresRDBMSAdapter.java 1 Jul 2005 12:41:32 -0000 @@ -235,8 +235,8 @@ public void revokePermission(Connection connection, Uri uri, NodePermission permission) throws ServiceAccessException { if (permission == null) return; - final StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID) IN" + - " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); + final StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID, IS_INHERITABLE, IS_NEGATIVE) IN" + + " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID, ?, ? FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); PreparedStatement statement = null; try { final NodeRevisionNumber revisionNumber = permission.getRevisionNumber(); @@ -247,11 +247,13 @@ sql.append(" and VERSION_NO IS NULL"); } statement = connection.prepareStatement(sql.toString()); - statement.setString(1, uri.toString()); - statement.setString(2, permission.getSubjectUri()); - statement.setString(3, permission.getActionUri()); + statement.setInt(1, (permission.isInheritable() ? 1 : 0)); + statement.setInt(2, (permission.isNegative() ? 1 : 0)); + statement.setString(3, uri.toString()); + statement.setString(4, permission.getSubjectUri()); + statement.setString(5, permission.getActionUri()); if (revisionNumber != null) { - statement.setString(4, revisionNumber.toString()); + statement.setString(6, revisionNumber.toString()); } statement.executeUpdate(); } catch (SQLException e) { --- src/stores/org/apache/slide/store/impl/rdbms/StandardRDBMSAdapter.java 19 May 2005 13:01:32 -0000 1.45 +++ src/stores/org/apache/slide/store/impl/rdbms/StandardRDBMSAdapter.java 1 Jul 2005 12:42:09 -0000 @@ -598,8 +598,8 @@ public void revokePermission(Connection connection, Uri uri, NodePermission permission) throws ServiceAccessException { if (permission == null) return; - StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID) IN" + - " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); + StringBuffer sql = new StringBuffer("delete from PERMISSIONS where (OBJECT_ID, SUBJECT_ID, ACTION_ID, IS_INHERITABLE, IS_NEGATIVE) IN" + + " (SELECT ou.URI_ID, su.URI_ID, au.URI_ID, ?, ? FROM URI ou, URI su, URI au WHERE ou.URI_STRING = ? and su.URI_STRING = ? and au.URI_STRING = ?)"); PreparedStatement statement = null; try { final NodeRevisionNumber revisionNumber; @@ -611,11 +611,13 @@ sql.append(" and VERSION_NO IS NULL"); } statement = connection.prepareStatement(sql.toString()); - statement.setString(1, uri.toString()); - statement.setString(2, permission.getSubjectUri()); - statement.setString(3, permission.getActionUri()); + statement.setInt(1, (permission.isInheritable() ? 1 : 0)); + statement.setInt(2, (permission.isNegative() ? 1 : 0)); + statement.setString(3, uri.toString()); + statement.setString(4, permission.getSubjectUri()); + statement.setString(5, permission.getActionUri()); if (revisionNumber != null) { - statement.setString(4, revisionNumber.toString()); + statement.setString(6, revisionNumber.toString()); } statement.executeUpdate(); } catch (SQLException e) --- src/conf/schema/createPostgresSchema.sql 3 Jun 2004 10:30:22 -0000 1.3 +++ src/conf/schema/createPostgresSchema.sql 1 Jul 2005 12:45:34 -0000 @@ -163,7 +163,7 @@ IS_NEGATIVE smallint NOT NULL, -- Both order and sequence would be more suitable, but can not be used SUCCESSION int NOT NULL, - UNIQUE (OBJECT_ID, SUBJECT_ID, ACTION_ID), + UNIQUE (OBJECT_ID, SUBJECT_ID, ACTION_ID, IS_INHERITABLE, IS_NEGATIVE), UNIQUE (OBJECT_ID, SUCCESSION) ); --- src/conf/schema/DB2Server.sql 15 Jul 2004 06:38:24 -0000 1.1 +++ src/conf/schema/DB2Server.sql 1 Jul 2005 12:46:47 -0000 @@ -126,7 +126,7 @@ IS_INHERITABLE NUMERIC(1) not null, IS_NEGATIVE NUMERIC(1) not null, SUCCESSION NUMERIC(10) not null, - constraint "A_Key_1" unique (OBJECT_ID, SUBJECT_ID, ACTION_ID), + constraint "A_Key_1" unique (OBJECT_ID, SUBJECT_ID, ACTION_ID, IS_INHERITABLE, IS_NEGATIVE), constraint "A_Key_2" unique (OBJECT_ID, SUCCESSION) ); --- src/conf/schema/MySql-4.1-Schema.sql 25 May 2004 12:40:23 -0000 1.2 +++ src/conf/schema/MySql-4.1-Schema.sql 1 Jul 2005 12:47:28 -0000 @@ -213,7 +213,7 @@ IS_INHERITABLE tinyint(1) NOT NULL, IS_NEGATIVE tinyint(1) NOT NULL, SUCCESSION int NOT NULL, - PRIMARY KEY (SUBJECT_ID,OBJECT_ID,ACTION_ID), + PRIMARY KEY (SUBJECT_ID,OBJECT_ID,ACTION_ID,IS_INHERITABLE,IS_NEGATIVE), UNIQUE KEY OBJECT_ID_2 (OBJECT_ID,SUCCESSION), KEY ACTION_ID_IX3 (ACTION_ID) ) TYPE=InnoDB CHARACTER SET utf8; --- src/conf/schema/MySqlSchema.sql 25 May 2004 09:52:34 -0000 1.2 +++ src/conf/schema/MySqlSchema.sql 1 Jul 2005 12:48:27 -0000 @@ -213,7 +213,7 @@ IS_INHERITABLE tinyint(1) NOT NULL, IS_NEGATIVE tinyint(1) NOT NULL, SUCCESSION int NOT NULL, - PRIMARY KEY (SUBJECT_ID,OBJECT_ID,ACTION_ID), + PRIMARY KEY (SUBJECT_ID,OBJECT_ID,ACTION_ID,IS_INHERITABLE,IS_NEGATIVE), UNIQUE KEY OBJECT_ID_2 (OBJECT_ID,SUCCESSION), KEY ACTION_ID_IX3 (ACTION_ID) ) TYPE=InnoDB; @@ -223,4 +223,4 @@ --- src/conf/schema/OracleSchema.sql 13 Nov 2004 15:02:28 -0000 1.2 +++ src/conf/schema/OracleSchema.sql 1 Jul 2005 12:48:56 -0000 @@ -165,7 +165,7 @@ FOREIGN KEY("OBJECT_ID") REFERENCES "URI"("URI_ID"), FOREIGN KEY("SUBJECT_ID") REFERENCES "URI"("URI_ID"), FOREIGN KEY("ACTION_ID") REFERENCES "URI"("URI_ID"), - UNIQUE("OBJECT_ID", "SUBJECT_ID", "ACTION_ID"), + UNIQUE("OBJECT_ID", "SUBJECT_ID", "ACTION_ID", "IS_INHERITABLE","IS_NEGATIVE"), UNIQUE("OBJECT_ID", "SUCCESSION") ) CACHE NOLOGGING; --- src/conf/schema/SQLServerSchema.sql 24 Jun 2004 13:18:53 -0000 1.4 +++ src/conf/schema/SQLServerSchema.sql 1 Jul 2005 12:49:20 -0000 @@ -286,7 +286,7 @@ IS_NEGATIVE bit NOT NULL, -- Both order and sequence would be more suitable, but can not be used SUCCESSION int NOT NULL, - UNIQUE CLUSTERED (OBJECT_ID, SUBJECT_ID, ACTION_ID), + UNIQUE CLUSTERED (OBJECT_ID, SUBJECT_ID, ACTION_ID,IS_INHERITABLE,IS_NEGATIVE), UNIQUE (OBJECT_ID, SUCCESSION) ) -GO \ No newline at end of file +GO --- src/conf/schema/SybaseSchema.sql 11 May 2004 10:02:50 -0000 1.2 +++ src/conf/schema/SybaseSchema.sql 1 Jul 2005 12:49:52 -0000 @@ -280,7 +280,7 @@ IS_NEGATIVE bit NOT NULL, -- Both order and sequence would be more suitable, but can not be used SUCCESSION int NOT NULL, - UNIQUE CLUSTERED (OBJECT_ID, SUBJECT_ID, ACTION_ID), + UNIQUE CLUSTERED (OBJECT_ID, SUBJECT_ID, ACTION_ID,IS_INHERITABLE,IS_NEGATIVE), UNIQUE (OBJECT_ID, SUCCESSION) ) GO -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
