Bug #341 (closed)
Opened 18 years ago
Closed 18 years ago
When an attached object is readable, users cannot update the attachee.
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | major | Cc: | |
Sprint: | n.a. | ||
Total Remaining Time: | n.a. |
Description (last modified by jmoore)
Assuming there is a Pixels (RW_RW_RW) and a Thumbnail (RW_RW_xx) both belonging to A. If B, (not in A's group) attempts to update the Pixels instance the following will be thrown since B cannot read the Thumbnail instance:
FAILED: test_U_Pixels_And_U_Thumbnails ome.conditions.SecurityViolation: Cannot read ome.model.display.Thumbnail at ome.security.BasicSecuritySystem.throwLoadViolation(BasicSecuritySystem.java:289) at ome.security.ACLEventListener.onPostLoad(ACLEventListener.java:126)
This is due to overprotected permissions on load. A possible solution is to use Hibernate's "EventSource.internalLoad".
Change History (2)
comment:1 Changed 18 years ago by jmoore
- Description modified (diff)
comment:2 Changed 18 years ago by jmoore
- Keywords changed from iteration5, permissions to iteration5, permissions, tip
- Resolution set to fixed
- Status changed from new to closed
internalLoad is unneeded. Basically, one should never pass a self-unreadable object (even if just a proxy) over the wire. In this case, the fix is easy. Pass back a null set of Pixels. Since the Pixels.thumbnails side is inverse, Hibernate won't care anyway. Will have to examine other use cases.