Ticket #890 (closed Defect: invalid)

Opened 5 years ago

Last modified 5 years ago

Topic in System Workspace (Public) is not readable by anonymous

Reported by: Malte Owned by: jri
Priority: Major Milestone:
Component: DeepaMehta Standard Distribution Version: 4.7
Keywords: Cc:
Complexity: 3 Area:
Module: deepamehta-accesscontrol

Description

If i am unauthenticated visitor (not logged in, thus acting as "everyone") and try to access a (composite) topic which currently is assigned to the "System" workspace i get the following exception.

{"exception":"java.lang.RuntimeException","message":"Fetching topic failed (key=\"uri\", value=\"de.mikromedia.standard_site\")","cause":{"exception":"de.deepamehta.core.service.accesscontrol.AccessControlException","message":"user <anonymous> has no READ permission for object 3543"}}

I think this might be a defect as it seems not correlate with our latest definition of the access control mechanism, esp. not with the "SharingMode?.PUBLIC".

On server side i get the following error:

Nov 17, 2015 5:02:57 PM de.deepamehta.core.util.UniversalExceptionMapper logException
SCHWERWIEGEND: Request "GET /admin/hello" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: Fetching topic failed (key="uri", value="de.mikromedia.standard_site")
	at de.deepamehta.core.impl.EmbeddedService.getTopic(EmbeddedService.java:115)
	at de.mikromedia.webpages.WebpagePlugin.loadCustomSiteTopic(WebpagePlugin.java:278)
	at de.mikromedia.webpages.WebpagePlugin.getCustomSiteTitle(WebpagePlugin.java:266)
	at de.mikromedia.webpages.WebpagePlugin.prepareTemplateSiteData(WebpagePlugin.java:253)
	at de.mikromedia.webpages.WebpagePlugin.getPageView(WebpagePlugin.java:122)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.ResourceObjectRule.accept(ResourceObjectRule.java:100)
	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1480)
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1411)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1360)
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1350)
	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:339)
	at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:300)
	at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
	at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
	at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
	at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:76)
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:49)
	at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
	at java.lang.Thread.run(Thread.java:745)
Caused by: de.deepamehta.core.service.accesscontrol.AccessControlException: user <anonymous> has no READ permission for object 3543
	at de.deepamehta.plugins.accesscontrol.AccessControlPlugin.checkReadPermission(AccessControlPlugin.java:803)
	at de.deepamehta.plugins.accesscontrol.AccessControlPlugin.preGetTopic(AccessControlPlugin.java:430)
	at de.deepamehta.core.impl.CoreEvent$1.deliver(CoreEvent.java:32)
	at de.deepamehta.core.impl.EventManager.deliverEvent(EventManager.java:97)
	at de.deepamehta.core.impl.EventManager.fireEvent(EventManager.java:63)
	at de.deepamehta.core.impl.EmbeddedService.fireEvent(EmbeddedService.java:531)
	at de.deepamehta.core.impl.EmbeddedService.checkAccess(EmbeddedService.java:747)
	at de.deepamehta.core.impl.EmbeddedService.instantiateTopic(EmbeddedService.java:653)
	at de.deepamehta.core.impl.EmbeddedService.getTopic(EmbeddedService.java:113)
	... 55 more

Change History

comment:1 Changed 5 years ago by jri

Only authenticated users have READ access to the System workspace, despite it is public.
This is a hardcoded rule particularily for the System workspace.
This reflects the original concept of the System workspace as introduced in DM 4.5

ticket:751#comment:20
ticket:751#comment:24

comment:2 Changed 5 years ago by jri

  • Status changed from new to closed
  • Resolution set to invalid
Note: See TracTickets for help on using tickets.