Ticket #890 (closed Defect: invalid)
Topic in System Workspace (Public) is not readable by anonymous
Reported by: | Malte | Owned by: | jri |
---|---|---|---|
Priority: | Major | Milestone: | |
Component: | DeepaMehta Standard Distribution | Version: | 4.7 |
Keywords: | Cc: | ||
Complexity: | 3 | Area: | |
Module: | deepamehta-accesscontrol |
Description
If i am unauthenticated visitor (not logged in, thus acting as "everyone") and try to access a (composite) topic which currently is assigned to the "System" workspace i get the following exception.
{"exception":"java.lang.RuntimeException","message":"Fetching topic failed (key=\"uri\", value=\"de.mikromedia.standard_site\")","cause":{"exception":"de.deepamehta.core.service.accesscontrol.AccessControlException","message":"user <anonymous> has no READ permission for object 3543"}}
I think this might be a defect as it seems not correlate with our latest definition of the access control mechanism, esp. not with the "SharingMode?.PUBLIC".
On server side i get the following error:
Nov 17, 2015 5:02:57 PM de.deepamehta.core.util.UniversalExceptionMapper logException SCHWERWIEGEND: Request "GET /admin/hello" failed. Responding with 401 (Unauthorized). The original exception/error is: java.lang.RuntimeException: Fetching topic failed (key="uri", value="de.mikromedia.standard_site") at de.deepamehta.core.impl.EmbeddedService.getTopic(EmbeddedService.java:115) at de.mikromedia.webpages.WebpagePlugin.loadCustomSiteTopic(WebpagePlugin.java:278) at de.mikromedia.webpages.WebpagePlugin.getCustomSiteTitle(WebpagePlugin.java:266) at de.mikromedia.webpages.WebpagePlugin.prepareTemplateSiteData(WebpagePlugin.java:253) at de.mikromedia.webpages.WebpagePlugin.getPageView(WebpagePlugin.java:122) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1480) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1411) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1360) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1350) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:339) at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:300) at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31) at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:76) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:49) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745) Caused by: de.deepamehta.core.service.accesscontrol.AccessControlException: user <anonymous> has no READ permission for object 3543 at de.deepamehta.plugins.accesscontrol.AccessControlPlugin.checkReadPermission(AccessControlPlugin.java:803) at de.deepamehta.plugins.accesscontrol.AccessControlPlugin.preGetTopic(AccessControlPlugin.java:430) at de.deepamehta.core.impl.CoreEvent$1.deliver(CoreEvent.java:32) at de.deepamehta.core.impl.EventManager.deliverEvent(EventManager.java:97) at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:63) at de.deepamehta.core.impl.EmbeddedService.fireEvent(EmbeddedService.java:531) at de.deepamehta.core.impl.EmbeddedService.checkAccess(EmbeddedService.java:747) at de.deepamehta.core.impl.EmbeddedService.instantiateTopic(EmbeddedService.java:653) at de.deepamehta.core.impl.EmbeddedService.getTopic(EmbeddedService.java:113) ... 55 more
Change History
Note: See
TracTickets for help on using
tickets.
Only authenticated users have READ access to the System workspace, despite it is public.
This is a hardcoded rule particularily for the System workspace.
This reflects the original concept of the System workspace as introduced in DM 4.5
ticket:751#comment:20
ticket:751#comment:24