@39414/Oracle Under the 'Lifecyles' tab, the 'Edit Phase' and 'Delete Phase' links show up for all users, even w/o Lifecycle admin permissions. If used & follow-up forms submitted, an NPE results. Description of problem: -*-*-*-*-*- Begin Error Report -*-*-*-*-*- -*-*-*- ACS Error Report Code: 172.16.64.111:1c2534f:fa1fd9a5a9 -*-*-*- -*-*-*- Message 1: com.caucho.jsp.JspLineException: null -*-*-*- -*-*-*- Message 2: java.lang.NullPointerException: null -*-*-*- -*-*-*- Section: CCM User -*-*-*- Party not logged in -*-*-*- Section: System properties -*-*-*- ccm.home: /var/ccm-devel/web/jorris/rickshaw com.arsdigita.util.Assert.enabled: true file.encoding: UTF-8 file.encoding.pkg: sun.io file.separator: / java.awt.graphicsenv: sun.awt.X11GraphicsEnvironment java.awt.printerjob: sun.print.PSPrinterJob java.class.path: /home/boston/jorris/dev/lib/classes12.zip:/usr/share/java/junit.jar:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/resin/2.1.4/lib/jaxp.jar:/opt/resin/2.1.4/lib/dom.jar:/opt/resin/2.1.4/lib/jdbc2_0-stdext.jar:/opt/resin/2.1.4/lib/jdbc-mysql.jar:/opt/resin/2.1.4/lib/jndi.jar:/opt/resin/2.1.4/lib/jmx.jar:/opt/resin/2.1.4/lib/jta-spec1_0_1.jar:/opt/resin/2.1.4/lib/resin.jar:/opt/resin/2.1.4/lib/sax.jar:/opt/resin/2.1.4/lib/webutil.jar:/usr/java/j2sdk1.4.2_03/lib/tools.jar:/usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/opt/resin/2.1.4/lib/jsdk23.jar java.class.version: 48.0 java.endorsed.dirs: /usr/java/j2sdk1.4.2_03/jre/lib/endorsed java.ext.dirs: /usr/java/j2sdk1.4.2_03/jre/lib/ext:/usr/java/j2sdk1.4.2_03/lib/ext:/usr/share/ccm-tools/lib/security java.home: /usr/java/j2sdk1.4.2_03/jre java.io.tmpdir: /tmp java.library.path: /usr/java/j2sdk1.4.2_03/jre/lib/i386/client:/usr/java/j2sdk1.4.2_03/jre/lib/i386:/usr/java/j2sdk1.4.2_03/jre/../lib/i386:/opt/oracle/product/9.2.0.1/lib:/lib:/usr/lib:/usr/local/lib:libexec java.naming.factory.initial: com.caucho.naming.InitialContextFactoryImpl java.naming.factory.url.pkgs: com.caucho.naming java.runtime.name: Java(TM) 2 Runtime Environment, Standard Edition java.runtime.version: 1.4.2_03-b02 java.specification.name: Java Platform API Specification java.specification.vendor: Sun Microsystems Inc. java.specification.version: 1.4 java.util.prefs.PreferencesFactory: java.util.prefs.FileSystemPreferencesFactory java.vendor: Sun Microsystems Inc. java.vendor.url: http://java.sun.com/ java.vendor.url.bug: http://java.sun.com/cgi-bin/bugreport.cgi java.version: 1.4.2_03 java.vm.info: mixed mode java.vm.name: Java HotSpot(TM) Client VM java.vm.specification.name: Java Virtual Machine Specification java.vm.specification.vendor: Sun Microsystems Inc. java.vm.specification.version: 1.0 java.vm.vendor: Sun Microsystems Inc. java.vm.version: 1.4.2_03-b02 javax.xml.parsers.DocumentBuilderFactory: org.apache.xerces.jaxp.DocumentBuilderFactoryImpl javax.xml.parsers.SAXParserFactory: org.apache.xerces.jaxp.SAXParserFactoryImpl javax.xml.transform.TransformerFactory: com.icl.saxon.TransformerFactoryImpl line.separator: log4j.configuration: file:///var/ccm-devel/web/jorris/rickshaw/conf/log4j.properties os.arch: i386 os.name: Linux os.version: 2.4.21-4.0.2.EL path.separator: : resin.home: /opt/resin/2.1.4 sun.arch.data.model: 32 sun.boot.class.path: /usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/usr/java/j2sdk1.4.2_03/jre/lib/i18n.jar:/usr/java/j2sdk1.4.2_03/jre/lib/sunrsasign.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jsse.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jce.jar:/usr/java/j2sdk1.4.2_03/jre/lib/charsets.jar:/usr/java/j2sdk1.4.2_03/jre/classes sun.boot.library.path: /usr/java/j2sdk1.4.2_03/jre/lib/i386 sun.cpu.endian: little sun.cpu.isalist: sun.io.unicode.encoding: UnicodeLittle sun.java2d.fontpath: sun.os.patch.level: unknown user.country: US user.dir: /opt/resin/2.1.4 user.home: /home/boston/jorris user.language: en user.name: jorris user.timezone: America/New_York waf.workflow.simple.alerts_enabled: true -*-*-*- Section: Stack trace -*-*-*- java.lang.NullPointerException at com.arsdigita.cms.ui.FormSecurityListener.submitted(FormSecurityListener.java:69) at com.arsdigita.bebop.FormSection.fireSubmitted(FormSection.java:197) at com.arsdigita.bebop.FormSection$1.submitted(FormSection.java:225) at com.arsdigita.bebop.FormModel.fireSubmitted(FormModel.java:391) at com.arsdigita.bebop.FormModel.process(FormModel.java:322) at com.arsdigita.bebop.Form.process(Form.java:440) at com.arsdigita.bebop.Form.respond(Form.java:281) at com.arsdigita.bebop.PageState.respond(PageState.java:367) at com.arsdigita.bebop.Page.process(Page.java:701) at com.arsdigita.bebop.Page.process(Page.java:683) at com.arsdigita.bebop.Page.buildDocument(Page.java:737) at com.arsdigita.cms.dispatcher.CMSPage$1.excurse(CMSPage.java:280) at com.arsdigita.cms.CMSExcursion$1.excurse(CMSExcursion.java:80) at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57) at com.arsdigita.cms.CMSExcursion.run(CMSExcursion.java:75) at com.arsdigita.cms.dispatcher.CMSPage.dispatch(CMSPage.java:294) at _packages._content_22dsection._www._admin._index__jsp._jspService(_index__jsp.java:50) at com.caucho.jsp.JavaPage.service(JavaPage.java:75) at com.caucho.jsp.Page.subservice(Page.java:485) at com.caucho.server.http.FilterChainPage.doFilter(FilterChainPage.java:182) at com.caucho.server.http.Invocation.service(Invocation.java:312) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77) at com.arsdigita.dispatcher.DispatcherHelper.forwardHelper(DispatcherHelper.java:193) at com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:222) at com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:235) at com.arsdigita.cms.ContentSectionServlet.doService(ContentSectionServlet.java:136) at com.arsdigita.web.BaseApplicationServlet$1.excurse(BaseApplicationServlet.java:111) at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57) at com.arsdigita.web.BaseApplicationServlet.doService(BaseApplicationServlet.java:105) at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176) at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57) at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147) at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291) at javax.servlet.http.HttpServlet.service(HttpServlet.java:165) at javax.servlet.http.HttpServlet.service(HttpServlet.java:103) at com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96) at com.caucho.server.http.Invocation.service(Invocation.java:312) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100) at com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77) at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:201) at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:185) at com.arsdigita.web.BaseDispatcher.dispatch(BaseDispatcher.java:132) at com.arsdigita.web.DispatcherServlet.doService(DispatcherServlet.java:123) at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176) at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57) at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147) at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291) at javax.servlet.http.HttpServlet.service(HttpServlet.java:165) at javax.servlet.http.HttpServlet.service(HttpServlet.java:103) at com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96) at com.caucho.server.http.Invocation.service(Invocation.java:312) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:221) at com.caucho.server.http.HttpRequest.handleConnection(HttpRequest.java:163) at com.caucho.server.TcpConnection.run(TcpConnection.java:137) at java.lang.Thread.run(Thread.java:534) -*-*-*- Section: HTTP headers -*-*-*- Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Content-Length: 536 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=aTwbqxGrWpr6; ad_user_login=275!1168883704602!3DakhaISpsG3PX/p5FZGVA== Host: goodeats:9004 Keep-Alive: 300 Referer: http://goodeats:9004/ccm/articles/admin/index.jsp?bbp.18.state=+61+&bbp.916.sel=91&bbp.s=605&g11n.enc=UTF-8&bbp.916.state=+91+&bbp.793.d=asc&bbp.3.pane=4&bbp.676.sel=119&bbp.547.stack=555&bbp.781.d=asc&bbp.18.sel=61&bbp.v=120+4&bbp.e=cell&bbp.681.stack=689&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1&bbp.68.ps=20&bbp.1020.d=asc User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031110 Firebird/0.7 -*-*-*- Section: Servlet attributes -*-*-*- com.arsdigita.bebop.PageState: com.arsdigita.bebop.PageState@1f9f538 = { m_page = com.arsdigita.cms.ui.ContentSectionPage@f29c65, m_request = com.caucho.server.http.DispatchRequest@1e85210, m_response = com.caucho.server.http.HttpResponse@1523bd4, m_pageState = com.arsdigita.bebop.FormData@1d5e94f = { m_parameterDataValues = {bbp.767.c={null, []}, bbp.1096.sel={null, []}, bbp.605.col={4, []}, bbp.456.col={null, []}, bbp.62.srcs={null, []}, bbp.72.sel={null, []}, bbp.1146.sel={null, []}, bbp.391.sel={null, []}, bbp.27.bid={null, []}, bbp.466.col={null, []}, bbp.644.sel={null, []}, bbp.90.state={null, []}, bbp.19.ct={null, []}, bbp.91.sel={null, []}, bbp.502.sel={null, []}, bbp.1129.sel={null, []}, bbp.1075.sel={null, []}, bbp.456.row={null, []}, bbp.466.row={null, []}, bbp.726.sel={null, []}, bbp.710.sel={null, []}, bbp.888.sel={null, []}, bbp.74.col={null, []}, bbp.761.pl={null, []}, bbp.1020.col={null, []}, bbp.1020.o={null, []}, page={null, []}, bbp.781.col={null, []}, bbp.49.fldr={null, []}, bbp.137.col={null, []}, bbp.749.ch={null, []}, bbp.781.m={null, []}, bbp.1118.sel={null, []}, bbp.18.state={ 61 , []}, bbp.916.sel={91, []}, bbp.927.stack={null, []}, bbp.1020.mid={null, []}, bbp.s={592, []}, bbp.74.row={null, []}, query={null, []}, bbp.379.sel={null, []}, bbp.605.row={120, []}, bbp.221.stack={null, []}, bbp.137.row={null, []}, g11n.enc={UTF-8, []}, bbp.403.sel={null, []}, bbp.1006.col={null, []}, bbp.62.act={null, []}, bbp.814.col={null, []}, bbp.828.col={null, []}, bbp.374.stack={null, []}, bbp.858.col={null, []}, bbp.689.stack={null, []}, bbp.226.sel={null, []}, bbp.781.o={null, []}, bbp.63.target={null, []}, single_type={null, []}, bbp.120.row={null, []}, bbp.518.sel={null, []}, bbp.916.state={ 91 , []}, bbp.793.d={asc, []}, bbp.3.pane={4, []}, bbp.1142.sel={null, []}, bbp.355.sel={null, []}, bbp.1006.row={null, []}, bbp.120.col={null, []}, bbp.212.stack={null, []}, bbp.290.row={null, []}, bbp.254.sel={null, []}, bbp.560.sel={null, []}, bbp.793.col={null, []}, bbp.34.fldr={null, []}, bbp.676.sel={119, []}, bbp.410.stack={null, []}, bbp.1062.sel={null, []}, bbp.584.sel={null, []}, bbp.793.o={null, []}, bbp.1045.sel={null, []}, bbp.425.col={null, []}, bbp.83.sel={null, []}, bbp.534.sel={null, []}, bbp.1107.sel={null, []}, bbp.170.col={null, []}, bbp.170.row={null, []}, bbp.555.stack={[Ljava.lang.Integer;@c85c1f, []}, bbp.27.iid={null, []}, bbp.240.sel={null, []}, bbp.618.sel={null, []}, privs_set={null, []}, bbp.694.sel={null, []}, bbp.547.stack={[Ljava.lang.Integer;@180809, []}, bbp.781.d={asc, []}, bbp.542.sel={null, []}, bbp.18.sel={61, []}, bbp.572.sel={null, []}, bbp.767.t={null, []}, bbp.v={null, []}, bbp.e={null, []}, bbp.366.stack={null, []}, bbp.425.row={null, []}, bbp.681.stack={[Ljava.lang.Integer;@1b7a8c5, []}, bbp.793.mid={null, []}, bbp.300.row={null, []}, bbp.300.col={null, []}, bbp.290.col={null, []}, bbp.858.row={null, []}, bbp.814.row={null, []}, bbp.978.sel={null, []}, bbp.i={{4, 8, 96, 106, 555, 590, 592}, []}, bbp.333.sel={null, []}, bbp.828.row={null, []}, bbp.68.ps={20, []}, bbp.919.stack={null, []}, bbp.755.sc={null, []}, bbp.1020.d={asc, []}, bbp.949.sel={null, []}, bbp.268.sel={null, []}, bbp.311.sel={null, []}}, m_formErrors = null, m_model = com.arsdigita.bebop.FormModel@a93a16, m_locale = en_US, m_isTransformed = true, m_isValid = true, m_isSubmission = true }, m_attributes = null, , m_grabbingComponent = null, m_invisible = {4, 5, 6, 7, 9, 10, 20, 21, 22, 23, 63, 69, 96, 106, 114, 115, 116, 169, 202, 213, 214, 215, 216, 217, 218, 219, 220, 221, 273, 274, 275, 276, 277, 278, 367, 368, 369, 370, 371, 372, 373, 374, 408, 409, 410, 411, 412, 413, 433, 434, 435, 436, 548, 549, 550, 551, 552, 553, 554, 589, 591, 593, 682, 683, 684, 685, 686, 687, 688, 689, 731, 732, 733, 734, 735, 768, 808, 809, 810, 857, 920, 921, 922, 923, 924, 925, 926, 927, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992} } com.arsdigita.bebop.RequestLocal: {com.arsdigita.bebop.Form$2@750e30=} com.arsdigita.cms.dispatcher.section: [com.arsdigita.cms.ContentSection:{id=65}] com.arsdigita.dispatcher.RequestContext: com.arsdigita.sitenode.SiteNodeRequestContext@bf5743 com.arsdigita.dispatcher.RequestValue: {com.arsdigita.dispatcher.RequestValue@15c1ae3=null} com.arsdigita.web.BaseApplicationServlet.application_id: 65 com.arsdigita.web.BaseDispatcher.dispatched: true com.arsdigita.web.BaseServlet.request_url: /ccm/articles/admin/index.jsp?delay_hours=0&bbp.547.stack=555&bbp.781.d=asc&form.EditPhaseDefinition=visited&bbp.916.state=+91+&bbp.793.d=asc&bbp.18.state=+61+&bbp.605.col=4&bbp.3.pane=4&bbp.18.sel=61&bbp.916.sel=91&bbp.s=592&submit=%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0Edit+Phase%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0&bbp.681.stack=689&bbp.676.sel=119&duration_hours=&bbp.605.row=120&g11n.enc=UTF-8&delay_days=0&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1.1.1&duration_minutes=&bbp.68.ps=20&bbp.555.stack=592&label=Shrub&description=The+first+phase.+It+lasts+forever.&bbp.1020.d=asc&duration_days=&delay_minutes=0 -*-*-*- Section: Request summary -*-*-*- Context path: Request URI: /ccm/articles/admin/index.jsp Query string: null Method: POST Remote user: null -*-*-*- Section: Cookies -*-*-*- JSESSIONID: aTwbqxGrWpr6 (expires: -1) ad_user_login: 275!1168883704602!3DakhaISpsG3PX/p5FZGVA== (expires: -1) -*-*-*-*-*- End Error Report -*-*-*-*-*-
Fixing the NPE is pretty trivial. It's this code in FormSecurityListener: if (m_item == null && sm.canAccess(user, m_action)) { return; } final ContentItem item = m_item.getContentItem(state); if (sm.canAccess(user, m_action, item)) { return; } throw new AccessDeniedException(); Changing to if(m_item == null) ... else ... will give us an AccessDenied page instead of an error, at least.
Fixed @39710. Note that this is only a partial fix for RC0, in that the links still show up. Only the NPE is fixed, so that an 'Access Denied' page is presented. Opened bug 114313 to track the links shown bug.