Bug #301 (closed)
Opened 18 years ago
Closed 18 years ago
BasicSecuritySystem only allows modifications for members logged into same group
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | major | Cc: | cxallan |
Sprint: | n.a. | ||
Total Remaining Time: | n.a. |
Description
BSS only permitted modifications to an object which was group-writable if the user had logged in explicitly to the group, e.g. via Login(userName,password, groupName, eventType)
The implementation was roughly:
1. boolean allowUpdate(){ 2. //... 3. if ( p.isGranted(GROUP,WRITE) && group.getId().equals( currentGroupId() )) 4. return true; 5. //... 6. }
Line 3 should be changed to:
if ( p.isGranted(GROUP,WRITE) && memberOfGroups().contains( group.getId() ))
Change History (2)
comment:1 Changed 18 years ago by jmoore
comment:2 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
This is working in (client) WriteSecurityTest?. Closing.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
r890 implements the suggested fix.