|
If you were logged in you would be able to see more operations.
|
|
|
|
File Attachments:
|
1.
authz.patch (2 kB)
|
|
Issue Links:
|
Duplicate
|
|
This issue duplicates:
|
|
SAK-15753
Improvement to one of the isAllowed() functions in authz
|
|
|
|
|
|
Relate
|
|
This issue relates to:
|
|
|
SAK-14996
student view / adding permission to allow students to upload podcasts not viewable via student view
|
|
|
|
|
|
|
|
|
While working on a different alternate role viewing bug, some code that existed in the kernel's authz code was reexamined and modified. The basic rundown was the previous code in the isAllowed(String, String, Collection) function located in the DbAuthzGroupService.java file, only checked the base site id (e.g. /site/sideId ) for permissions on the role instead of all of the realms that were passed into the Collection, which the normal use case does in a big nested SQL statement. This caused the Podcast bug linked to this jira to not work 100% correctly since the key realm to check was something like: /content/group/siteId/Podcasts/ .
So this new approach will make sure every realm passed into this function will get checked for permissions in the role that's being requested. It is also prioritized to check the /site/siteId realm first since that is where a true return will happen a vast majority of the time.
Not only does it fix the linked bug, but this may take care of a lot more bugs that may not have been discovered yet in other tools, since the scope of the feature is potentially any tool that exists in sakai and switching to a different role with countless number of permission/configuration scenarios.
The code was reviewed with colleagues at Indiana University and implemented some suggested changes. I'm presenting this to the community now to try to get it into the 2.6 release since I think it is a critical improvement/bug fix.
|
|
Description
|
While working on a different alternate role viewing bug, some code that existed in the kernel's authz code was reexamined and modified. The basic rundown was the previous code in the isAllowed(String, String, Collection) function located in the DbAuthzGroupService.java file, only checked the base site id (e.g. /site/sideId ) for permissions on the role instead of all of the realms that were passed into the Collection, which the normal use case does in a big nested SQL statement. This caused the Podcast bug linked to this jira to not work 100% correctly since the key realm to check was something like: /content/group/siteId/Podcasts/ .
So this new approach will make sure every realm passed into this function will get checked for permissions in the role that's being requested. It is also prioritized to check the /site/siteId realm first since that is where a true return will happen a vast majority of the time.
Not only does it fix the linked bug, but this may take care of a lot more bugs that may not have been discovered yet in other tools, since the scope of the feature is potentially any tool that exists in sakai and switching to a different role with countless number of permission/configuration scenarios.
The code was reviewed with colleagues at Indiana University and implemented some suggested changes. I'm presenting this to the community now to try to get it into the 2.6 release since I think it is a critical improvement/bug fix. |
Show » |
|
Task
Conversely, this code change will therefore not affect the behaviour of any "normal" (non-roleswap) authz calls?
Just want to be clear - as I understand it this is a bugfix to the authz changes for roleswap and doesn't (say) affect behaviour of authz in 2-5-x or non-roleswap behaviour.