Ticket #1075 (closed Defect: fixed)

Opened 5 years ago

Last modified 4 years ago

without write permission topic.delete() does not throw an exception

Reported by: Malte Owned by: jri
Priority: Major Milestone: Release 4.8.7
Component: DeepaMehta Standard Distribution Version: 4.8.3
Keywords: Cc: dgf, Malte, JuergeN
Complexity: 3 Area: Application Framework / API
Module: deepamehta-core

Description

If the requesting user does not have a WRITE permission the following code does not work as expected. If the user has no WRITE permission no exception is raised by the core. After using these calls I double checked the topci and it was not deleted.

geoObject.delete();

Using this "attached API" style and with the parameters described (no WRITE permission), no exception is thrown and the topic in questions was simply not deleted.

Surprisingly the following works as expected

dm4.deleteTopic(geoObject.getId());

as it, for the same parameters like above, raises the following Exception:

04.04.2017 13:46:13 de.deepamehta.core.util.UniversalExceptionMapper logException
SEVERE: Request "GET /website/geo/delete/165491" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: java.lang.RuntimeException: Deleting topic 165491 failed
	at de.kiezatlas.website.WebsitePlugin.deleteCompleteGeoObject(WebsitePlugin.java:1959)
	at de.kiezatlas.website.WebsitePlugin.deleteGeoObject(WebsitePlugin.java:574)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:622)
	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1480)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1411)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1360)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1350)
	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:339)
	at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:300)
	at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
	at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
	at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
	at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:76)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:49)
	at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
	at java.lang.Thread.run(Thread.java:701)
Caused by: java.lang.RuntimeException: Deleting topic 165491 failed
	at de.deepamehta.core.impl.PersistenceLayer.deleteTopic(PersistenceLayer.java:186)
	at de.deepamehta.core.impl.CoreServiceImpl.deleteTopic(CoreServiceImpl.java:128)
	at de.kiezatlas.website.WebsitePlugin.deleteCompleteGeoObject(WebsitePlugin.java:1953)
	... 52 more
Caused by: de.deepamehta.core.service.accesscontrol.AccessControlException: user "malte" has no WRITE permission for object 165491
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkAccess(AccessControlPlugin.java:871)
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkWriteAccess(AccessControlPlugin.java:854)
	at de.deepamehta.accesscontrol.AccessControlPlugin.checkTopicWriteAccess(AccessControlPlugin.java:474)
	at de.deepamehta.core.impl.CoreEvent$3.dispatch(CoreEvent.java:54)
	at de.deepamehta.core.impl.EventManager.dispatchEvent(EventManager.java:83)
	at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:59)
	at de.deepamehta.core.impl.PersistenceLayer.checkTopicWriteAccess(PersistenceLayer.java:558)
	at de.deepamehta.core.impl.PersistenceLayer.deleteTopic(PersistenceLayer.java:182)
	... 54 more

Change History

comment:1 Changed 4 years ago by jri

  • Status changed from new to accepted
  • Area set to Application Framework / API
  • Cc dgf, Malte, JuergeN added
  • Module set to deepamehta-core
  • Milestone set to Release 4.8.7
  • Owner set to jri

comment:2 Changed 4 years ago by jri

In https://github.com/jri/deepamehta/commit/a461aed0:

Fix access control for topic/assoc delete (#1075)

Java API:

When calling delete() directly on a Topic/Association object (*Attached Object API*) the requesting user's WRITE permission is checked.

Thank you, Malte, for reporting!

See #1075

comment:3 Changed 4 years ago by jri

Note: the same needs to be fixed for the update() method.

comment:4 Changed 4 years ago by Jörg Richter <jri@…>

In 9754931afc78975e6adb0e4489a7cbd541945def/deepamehta:

Fix access control for topic/assoc update (#1075)

Java API:

When calling update() directly on a Topic/Association object (*Attached Object API*) the requesting user's WRITE permission is checked.

BREAKING CHANGE

1 method dropped from DeepaMehtaObject:

void update(DeepaMehtaObjectModel model)

Note: the Topic and Association sub-interfaces still have an update() method.

See #1075

comment:5 Changed 4 years ago by jri

  • Status changed from accepted to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.