Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39179

Permission checking for attachments is too restrictive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.x
    • Fix Version/s: 2.6.x
    • Component/s: Kernel
    • Labels:
      None
    • Previous Issue Keys:
      SAK-17401, KNL-327

      Description

      BaseContentService.getEntityAuthzGroups(Reference,String) contains a block of code specifically to treat attachment resources in a special way. This block of code looks like:

      if ( m_siteAttachments && (parts.length >= 3) && (parts[1].equals("attachment")))
      {
      String siteId = parts[2];
      if ( m_siteService.siteExists(siteId) )

      { rv.clear(); // Ignore the hierarchical inheritance in /attachment rv.add(m_siteService.siteReference(siteId)); attachmentOverride = true; // Nothing else is needed }

      }

      This code was introduced by security issue SAK-10743, in revision 32520. This check is overly restrictive. It does not allow for a specific attachment to potentially have specific public permissions set for it. A simple change can be made to the above, to add not only the site, but to add back the attachment resource itself to the list of available authorizations. A patch is attached that implements this change.

      This issue is related to SAK-15571, which can not be completed until this change is made.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  arwhyte Anthony Whyte
                  Reporter:
                  jean-francois.leveque@upmc.fr Jean-François Lévêque
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code