Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-15657

Permission checking for attachments is too restrictive

    XMLWordPrintable

    Details

      Description

      BaseContentService.getEntityAuthzGroups(Reference,String) contains a block of code specifically to treat attachment resources in a special way. This block of code looks like:

      if ( m_siteAttachments && (parts.length >= 3) && (parts[1].equals("attachment")))
      {
      String siteId = parts[2];
      if ( m_siteService.siteExists(siteId) )

      { rv.clear(); // Ignore the hierarchical inheritance in /attachment rv.add(m_siteService.siteReference(siteId)); attachmentOverride = true; // Nothing else is needed }

      }

      This code was introduced by security issue SAK-10743, in revision 32520. This check is overly restrictive. It does not allow for a specific attachment to potentially have specific public permissions set for it. A simple change can be made to the above, to add not only the site, but to add back the attachment resource itself to the list of available authorizations. A patch is attached that implements this change.

      This issue is related to SAK-15571, which can not be completed until this change is made.

        Gliffy Diagrams

          Attachments

          1. content-2-5-x-patch.txt
            0.6 kB
          2. kernel_SAK-15657.patch
            0.6 kB
          3. kernel-impl-1.0-patch.txt
            0.6 kB
          4. kernel-impl-trunk-patch.txt
            0.6 kB
          5. SAK-15657_2-5-x_r69314.patch
            0.6 kB

            Issue Links

              Activity

                People

                • Assignee:
                  aaronz Aaron Zeckoski (Inactive)
                  Reporter:
                  holdorph Cris Holdorph (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code