without write permission topic.delete() does not throw an exception

[Malte]

If the requesting user does not have a WRITE permission the following code does not work as expected. If the user has no WRITE permission no exception is raised by the core. After using these calls I double checked the topci and it was not deleted.

geoObject.delete();

Using this "attached API" style and with the parameters described (no WRITE permission), no exception is thrown and the topic in questions was simply not deleted.

Surprisingly the following works as expected

dm4.deleteTopic(geoObject.getId());

as it, for the same parameters like above, raises the following Exception:

04.04.2017 13:46:13 de.deepamehta.core.util.UniversalExceptionMapper logException
SEVERE: Request "GET /website/geo/delete/165491" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: java.lang.RuntimeException: Deleting topic 165491 failed
	at de.kiezatlas.website.WebsitePlugin.deleteCompleteGeoObject(WebsitePlugin.java:1959)
	at de.kiezatlas.website.WebsitePlugin.deleteGeoObject(WebsitePlugin.java:574)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:622)
	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1480)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1411)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1360)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1350)
	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:339)
	at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:300)
	at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
	at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
	at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
	at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:76)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:49)
	at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
	at java.lang.Thread.run(Thread.java:701)
Caused by: java.lang.RuntimeException: Deleting topic 165491 failed
	at de.deepamehta.core.impl.PersistenceLayer.deleteTopic(PersistenceLayer.java:186)
	at de.deepamehta.core.impl.CoreServiceImpl.deleteTopic(CoreServiceImpl.java:128)
	at de.kiezatlas.website.WebsitePlugin.deleteCompleteGeoObject(WebsitePlugin.java:1953)
	... 52 more
Caused by: de.deepamehta.core.service.accesscontrol.AccessControlException: user "malte" has no WRITE permission for object 165491
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkAccess(AccessControlPlugin.java:871)
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkWriteAccess(AccessControlPlugin.java:854)
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkTopicWriteAccess(AccessControlPlugin.java:474)
	at de.deepamehta.core.impl.CoreEvent$3.dispatch(CoreEvent.java:54)
	at de.deepamehta.core.impl.EventManager.dispatchEvent(EventManager.java:83)
	at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:59)
	at de.deepamehta.core.impl.PersistenceLayer.checkTopicWriteAccess(PersistenceLayer.java:558)
	at de.deepamehta.core.impl.PersistenceLayer.deleteTopic(PersistenceLayer.java:182)
	... 54 more

[jri]

In ​https://github.com/jri/deepamehta/commit/a461aed0:

Fix access control for topic/assoc delete (#1075)

Java API:

When calling delete() directly on a Topic/Association object (*Attached Object API*) the requesting user's WRITE permission is checked.

Thank you, Malte, for reporting!

See #1075

[jri]

Note: the same needs to be fixed for the update() method.

[Jörg Richter <jri@…>]

In 9754931afc78975e6adb0e4489a7cbd541945def/deepamehta:

Fix access control for topic/assoc update (#1075)

Java API:

When calling update() directly on a Topic/Association object (*Attached Object API*) the requesting user's WRITE permission is checked.

BREAKING CHANGE

1 method dropped from DeepaMehtaObject:

void update(DeepaMehtaObjectModel model)

Note: the Topic and Association sub-interfaces still have an update() method.

See #1075