Bug 98867
| Summary: | Folder#getItems has bogus permissions filter | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Enterprise CMS | Reporter: | Daniel Berrangé <berrange> |
| Component: | other | Assignee: | Justin Ross <jross> |
| Status: | CLOSED RAWHIDE | QA Contact: | Jon Orris <jorris> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | nightly | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-07-09 18:48:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 92111 | ||
p4 33405 |
From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314 Description of problem: The following code Folder#getItems is totally bogus & should be removed. I believe it was accidentally introduced in the URL category browser merge - a similar thing happened in London CMS 5.2. It has 4 problems: * It totally kills performance of browsing a site with deep folder structure, because it explicitly checking permissions at every level. * It is redundant because the Dispatcher already checks permissions * It is redundant because the permissions context hierarchy represents the hierarchical nature of permissions on folders already * It can result in a situation where logged in users *can't* view items, where as anonymous users can!l final KernelContext context = Kernel.getContext(); // If the context is null then it is a cron job or an initializer, // so we do not want to restrict the permissions because there is // not a partyID to restrict them to (e.g., context.getParty() == // null). if (context.getParty() != null) { PermissionService.filterQuery (query, "item." + ACSObject.ID, SecurityManager.CMS_PREVIEW_ITEM_DESCRIPTOR, context.getParty().getOID()); } Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Look in Folder.java to see if the code is still there 2. 3. Additional info: