Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Bug #345 (closed)

Opened 15 years ago

Closed 15 years ago

Locking mechansim is granting too many privileges

Reported by: jamoore Owned by: jamoore
Priority: critical Cc:
Sprint: n.a.
Total Remaining Time: n.a.

Description

SecuritySystem.markLocked() called by FlushEntityEventListener is giving tokens away too freely. This has to be stopped. Another (the only?) possible solution is to check if the lock is the only change that's happened in the field.

Later, it may be possible to do this asynchronously using JMS or friends. Previously, I've tried to do this with Hibernate's StatelessSession ( doesn't allow component referencing -- move LOCKED out of the components?) and a new Session without interceptor (semantics of flushing too difficult). Another option would be to do this directly with JDBC, but (1) then you have to do this directly with JDBC and (2) how to prevent overwrites by Hibernate?!

Change History (2)

comment:1 Changed 15 years ago by jmoore

r928 provides a workaround. Whether this is a good long-term plan is unclear. It would be better to use Hibernate APIs more directly and to push some of the logic out of ACLEventListener (for example, into Details)

comment:2 Changed 15 years ago by jmoore

  • Keywords changed from iteration5, exploit to iteration5, exploit, REVIEW
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.62512 sec.)

We're Hiring!