Bug #397 (closed)
Opened 18 years ago
Closed 18 years ago
SecuritySystem.runAsAdmin and doAction should NOT take detached objects.
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | critical | Cc: | |
Sprint: | n.a. | ||
Total Remaining Time: | n.a. |
Description
Currently it's possible for SecuritySystem API consumers to mistakenly pass a detached (untrusted) entity into the runAsAdmin() or doAction() methods. This could violate much of the security system.
Change History (2)
comment:1 Changed 18 years ago by jmoore
comment:2 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
r1005 makes it much more difficult to exploit this.
runAsAdmin can no longer use merge() meaning that the state of detached objects cannot be sent directly to the db. doAction will no longer accept detached entities whatsoever. (A similar approach for runAsAdmin would have been more safe, but is not possible.)
However, it is still possible that a service provider forgets to untaint objects. This is especially important for IAdmin. All methods must reload the entities from the DB. In fact, a @Untaint annotation would possibly be sensible (see #399).