Bug #345 (closed)
Opened 18 years ago
Closed 18 years ago
Locking mechansim is granting too many privileges
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | critical | Cc: | |
| Sprint: | n.a. | ||
| Total Remaining Time: | n.a. |
Description
SecuritySystem.markLocked() called by FlushEntityEventListener is giving tokens away too freely. This has to be stopped. Another (the only?) possible solution is to check if the lock is the only change that's happened in the field.
Later, it may be possible to do this asynchronously using JMS or friends. Previously, I've tried to do this with Hibernate's StatelessSession ( doesn't allow component referencing -- move LOCKED out of the components?) and a new Session without interceptor (semantics of flushing too difficult). Another option would be to do this directly with JDBC, but (1) then you have to do this directly with JDBC and (2) how to prevent overwrites by Hibernate?!
Change History (2)
comment:1 Changed 18 years ago by jmoore
comment:2 Changed 18 years ago by jmoore
- Keywords changed from iteration5, exploit to iteration5, exploit, REVIEW
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
r928 provides a workaround. Whether this is a good long-term plan is unclear. It would be better to use Hibernate APIs more directly and to push some of the logic out of ACLEventListener (for example, into Details)