Bug 113706 - Edit, Delete phase links show up for user w/o perms, NPE if used.
Edit, Delete phase links show up for user w/o perms, NPE if used.
Status: CLOSED RAWHIDE
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other (Show other bugs)
nightly
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jon Orris
Jon Orris
:
Depends On:
Blocks: 106481
  Show dependency treegraph
 
Reported: 2004-01-16 13:09 EST by Jon Orris
Modified: 2007-04-18 13:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-01-26 10:26:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jon Orris 2004-01-16 13:09:44 EST
@39414/Oracle
Under the 'Lifecyles' tab, the 'Edit Phase' and 'Delete Phase' links
show up for all users, even w/o Lifecycle admin permissions. If used &
follow-up forms submitted, an NPE results.

Description of problem:

-*-*-*-*-*- Begin Error Report -*-*-*-*-*-
-*-*-*- ACS Error Report Code: 172.16.64.111:1c2534f:fa1fd9a5a9 -*-*-*-
-*-*-*- Message 1: com.caucho.jsp.JspLineException: null -*-*-*-
-*-*-*- Message 2: java.lang.NullPointerException: null -*-*-*-

-*-*-*- Section: CCM User -*-*-*-
Party not logged in

-*-*-*- Section: System properties -*-*-*-
ccm.home: /var/ccm-devel/web/jorris/rickshaw
com.arsdigita.util.Assert.enabled: true
file.encoding: UTF-8
file.encoding.pkg: sun.io
file.separator: /
java.awt.graphicsenv: sun.awt.X11GraphicsEnvironment
java.awt.printerjob: sun.print.PSPrinterJob
java.class.path:
/home/boston/jorris/dev/lib/classes12.zip:/usr/share/java/junit.jar:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/resin/2.1.4/lib/jaxp.jar:/opt/resin/2.1.4/lib/dom.jar:/opt/resin/2.1.4/lib/jdbc2_0-stdext.jar:/opt/resin/2.1.4/lib/jdbc-mysql.jar:/opt/resin/2.1.4/lib/jndi.jar:/opt/resin/2.1.4/lib/jmx.jar:/opt/resin/2.1.4/lib/jta-spec1_0_1.jar:/opt/resin/2.1.4/lib/resin.jar:/opt/resin/2.1.4/lib/sax.jar:/opt/resin/2.1.4/lib/webutil.jar:/usr/java/j2sdk1.4.2_03/lib/tools.jar:/usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/opt/resin/2.1.4/lib/jsdk23.jar
java.class.version: 48.0
java.endorsed.dirs: /usr/java/j2sdk1.4.2_03/jre/lib/endorsed
java.ext.dirs:
/usr/java/j2sdk1.4.2_03/jre/lib/ext:/usr/java/j2sdk1.4.2_03/lib/ext:/usr/share/ccm-tools/lib/security
java.home: /usr/java/j2sdk1.4.2_03/jre
java.io.tmpdir: /tmp
java.library.path:
/usr/java/j2sdk1.4.2_03/jre/lib/i386/client:/usr/java/j2sdk1.4.2_03/jre/lib/i386:/usr/java/j2sdk1.4.2_03/jre/../lib/i386:/opt/oracle/product/9.2.0.1/lib:/lib:/usr/lib:/usr/local/lib:libexec
java.naming.factory.initial: com.caucho.naming.InitialContextFactoryImpl
java.naming.factory.url.pkgs: com.caucho.naming
java.runtime.name: Java(TM) 2 Runtime Environment, Standard Edition
java.runtime.version: 1.4.2_03-b02
java.specification.name: Java Platform API Specification
java.specification.vendor: Sun Microsystems Inc.
java.specification.version: 1.4
java.util.prefs.PreferencesFactory:
java.util.prefs.FileSystemPreferencesFactory
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vendor.url.bug: http://java.sun.com/cgi-bin/bugreport.cgi
java.version: 1.4.2_03
java.vm.info: mixed mode
java.vm.name: Java HotSpot(TM) Client VM
java.vm.specification.name: Java Virtual Machine Specification
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.version: 1.0
java.vm.vendor: Sun Microsystems Inc.
java.vm.version: 1.4.2_03-b02
javax.xml.parsers.DocumentBuilderFactory:
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
javax.xml.parsers.SAXParserFactory:
org.apache.xerces.jaxp.SAXParserFactoryImpl
javax.xml.transform.TransformerFactory:
com.icl.saxon.TransformerFactoryImpl
line.separator: 

log4j.configuration:
file:///var/ccm-devel/web/jorris/rickshaw/conf/log4j.properties
os.arch: i386
os.name: Linux
os.version: 2.4.21-4.0.2.EL
path.separator: :
resin.home: /opt/resin/2.1.4
sun.arch.data.model: 32
sun.boot.class.path:
/usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/usr/java/j2sdk1.4.2_03/jre/lib/i18n.jar:/usr/java/j2sdk1.4.2_03/jre/lib/sunrsasign.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jsse.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jce.jar:/usr/java/j2sdk1.4.2_03/jre/lib/charsets.jar:/usr/java/j2sdk1.4.2_03/jre/classes
sun.boot.library.path: /usr/java/j2sdk1.4.2_03/jre/lib/i386
sun.cpu.endian: little
sun.cpu.isalist: 
sun.io.unicode.encoding: UnicodeLittle
sun.java2d.fontpath: 
sun.os.patch.level: unknown
user.country: US
user.dir: /opt/resin/2.1.4
user.home: /home/boston/jorris
user.language: en
user.name: jorris
user.timezone: America/New_York
waf.workflow.simple.alerts_enabled: true

-*-*-*- Section: Stack trace -*-*-*-
java.lang.NullPointerException
	at
com.arsdigita.cms.ui.FormSecurityListener.submitted(FormSecurityListener.java:69)
	at com.arsdigita.bebop.FormSection.fireSubmitted(FormSection.java:197)
	at com.arsdigita.bebop.FormSection$1.submitted(FormSection.java:225)
	at com.arsdigita.bebop.FormModel.fireSubmitted(FormModel.java:391)
	at com.arsdigita.bebop.FormModel.process(FormModel.java:322)
	at com.arsdigita.bebop.Form.process(Form.java:440)
	at com.arsdigita.bebop.Form.respond(Form.java:281)
	at com.arsdigita.bebop.PageState.respond(PageState.java:367)
	at com.arsdigita.bebop.Page.process(Page.java:701)
	at com.arsdigita.bebop.Page.process(Page.java:683)
	at com.arsdigita.bebop.Page.buildDocument(Page.java:737)
	at com.arsdigita.cms.dispatcher.CMSPage$1.excurse(CMSPage.java:280)
	at com.arsdigita.cms.CMSExcursion$1.excurse(CMSExcursion.java:80)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.cms.CMSExcursion.run(CMSExcursion.java:75)
	at com.arsdigita.cms.dispatcher.CMSPage.dispatch(CMSPage.java:294)
	at
_packages._content_22dsection._www._admin._index__jsp._jspService(_index__jsp.java:50)
	at com.caucho.jsp.JavaPage.service(JavaPage.java:75)
	at com.caucho.jsp.Page.subservice(Page.java:485)
	at
com.caucho.server.http.FilterChainPage.doFilter(FilterChainPage.java:182)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardHelper(DispatcherHelper.java:193)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:222)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:235)
	at
com.arsdigita.cms.ContentSectionServlet.doService(ContentSectionServlet.java:136)
	at
com.arsdigita.web.BaseApplicationServlet$1.excurse(BaseApplicationServlet.java:111)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at
com.arsdigita.web.BaseApplicationServlet.doService(BaseApplicationServlet.java:105)
	at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147)
	at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
	at
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77)
	at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:201)
	at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:185)
	at com.arsdigita.web.BaseDispatcher.dispatch(BaseDispatcher.java:132)
	at
com.arsdigita.web.DispatcherServlet.doService(DispatcherServlet.java:123)
	at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147)
	at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
	at
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:221)
	at
com.caucho.server.http.HttpRequest.handleConnection(HttpRequest.java:163)
	at com.caucho.server.TcpConnection.run(TcpConnection.java:137)
	at java.lang.Thread.run(Thread.java:534)


-*-*-*- Section: HTTP headers -*-*-*-
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Length: 536
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=aTwbqxGrWpr6;
ad_user_login=275!1168883704602!3DakhaISpsG3PX/p5FZGVA==
Host: goodeats:9004
Keep-Alive: 300
Referer:
http://goodeats:9004/ccm/articles/admin/index.jsp?bbp.18.state=+61+&bbp.916.sel=91&bbp.s=605&g11n.enc=UTF-8&bbp.916.state=+91+&bbp.793.d=asc&bbp.3.pane=4&bbp.676.sel=119&bbp.547.stack=555&bbp.781.d=asc&bbp.18.sel=61&bbp.v=120+4&bbp.e=cell&bbp.681.stack=689&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1&bbp.68.ps=20&bbp.1020.d=asc
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031110 Firebird/0.7

-*-*-*- Section: Servlet attributes -*-*-*-
com.arsdigita.bebop.PageState: com.arsdigita.bebop.PageState@1f9f538 = {
m_page = com.arsdigita.cms.ui.ContentSectionPage@f29c65,
m_request = com.caucho.server.http.DispatchRequest@1e85210,
m_response = com.caucho.server.http.HttpResponse@1523bd4,
m_pageState = com.arsdigita.bebop.FormData@1d5e94f = {
m_parameterDataValues = {bbp.767.c={null, []}, bbp.1096.sel={null,
[]}, bbp.605.col={4, []}, bbp.456.col={null, []}, bbp.62.srcs={null,
[]}, bbp.72.sel={null, []}, bbp.1146.sel={null, []},
bbp.391.sel={null, []}, bbp.27.bid={null, []}, bbp.466.col={null, []},
bbp.644.sel={null, []}, bbp.90.state={null, []}, bbp.19.ct={null, []},
bbp.91.sel={null, []}, bbp.502.sel={null, []}, bbp.1129.sel={null,
[]}, bbp.1075.sel={null, []}, bbp.456.row={null, []},
bbp.466.row={null, []}, bbp.726.sel={null, []}, bbp.710.sel={null,
[]}, bbp.888.sel={null, []}, bbp.74.col={null, []}, bbp.761.pl={null,
[]}, bbp.1020.col={null, []}, bbp.1020.o={null, []}, page={null, []},
bbp.781.col={null, []}, bbp.49.fldr={null, []}, bbp.137.col={null,
[]}, bbp.749.ch={null, []}, bbp.781.m={null, []}, bbp.1118.sel={null,
[]}, bbp.18.state={ 61 , []}, bbp.916.sel={91, []},
bbp.927.stack={null, []}, bbp.1020.mid={null, []}, bbp.s={592, []},
bbp.74.row={null, []}, query={null, []}, bbp.379.sel={null, []},
bbp.605.row={120, []}, bbp.221.stack={null, []}, bbp.137.row={null,
[]}, g11n.enc={UTF-8, []}, bbp.403.sel={null, []}, bbp.1006.col={null,
[]}, bbp.62.act={null, []}, bbp.814.col={null, []}, bbp.828.col={null,
[]}, bbp.374.stack={null, []}, bbp.858.col={null, []},
bbp.689.stack={null, []}, bbp.226.sel={null, []}, bbp.781.o={null,
[]}, bbp.63.target={null, []}, single_type={null, []},
bbp.120.row={null, []}, bbp.518.sel={null, []}, bbp.916.state={ 91 ,
[]}, bbp.793.d={asc, []}, bbp.3.pane={4, []}, bbp.1142.sel={null, []},
bbp.355.sel={null, []}, bbp.1006.row={null, []}, bbp.120.col={null,
[]}, bbp.212.stack={null, []}, bbp.290.row={null, []},
bbp.254.sel={null, []}, bbp.560.sel={null, []}, bbp.793.col={null,
[]}, bbp.34.fldr={null, []}, bbp.676.sel={119, []},
bbp.410.stack={null, []}, bbp.1062.sel={null, []}, bbp.584.sel={null,
[]}, bbp.793.o={null, []}, bbp.1045.sel={null, []}, bbp.425.col={null,
[]}, bbp.83.sel={null, []}, bbp.534.sel={null, []},
bbp.1107.sel={null, []}, bbp.170.col={null, []}, bbp.170.row={null,
[]}, bbp.555.stack={[Ljava.lang.Integer;@c85c1f, []},
bbp.27.iid={null, []}, bbp.240.sel={null, []}, bbp.618.sel={null, []},
privs_set={null, []}, bbp.694.sel={null, []},
bbp.547.stack={[Ljava.lang.Integer;@180809, []}, bbp.781.d={asc, []},
bbp.542.sel={null, []}, bbp.18.sel={61, []}, bbp.572.sel={null, []},
bbp.767.t={null, []}, bbp.v={null, []}, bbp.e={null, []},
bbp.366.stack={null, []}, bbp.425.row={null, []},
bbp.681.stack={[Ljava.lang.Integer;@1b7a8c5, []}, bbp.793.mid={null,
[]}, bbp.300.row={null, []}, bbp.300.col={null, []},
bbp.290.col={null, []}, bbp.858.row={null, []}, bbp.814.row={null,
[]}, bbp.978.sel={null, []}, bbp.i={{4, 8, 96, 106, 555, 590, 592},
[]}, bbp.333.sel={null, []}, bbp.828.row={null, []}, bbp.68.ps={20,
[]}, bbp.919.stack={null, []}, bbp.755.sc={null, []}, bbp.1020.d={asc,
[]}, bbp.949.sel={null, []}, bbp.268.sel={null, []},
bbp.311.sel={null, []}},
m_formErrors = null,
m_model = com.arsdigita.bebop.FormModel@a93a16,
m_locale = en_US,
m_isTransformed = true,
m_isValid = true,
m_isSubmission = true
},
m_attributes = null,
,
m_grabbingComponent = null,
m_invisible = {4, 5, 6, 7, 9, 10, 20, 21, 22, 23, 63, 69, 96, 106,
114, 115, 116, 169, 202, 213, 214, 215, 216, 217, 218, 219, 220, 221,
273, 274, 275, 276, 277, 278, 367, 368, 369, 370, 371, 372, 373, 374,
408, 409, 410, 411, 412, 413, 433, 434, 435, 436, 548, 549, 550, 551,
552, 553, 554, 589, 591, 593, 682, 683, 684, 685, 686, 687, 688, 689,
731, 732, 733, 734, 735, 768, 808, 809, 810, 857, 920, 921, 922, 923,
924, 925, 926, 927, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992}
}
com.arsdigita.bebop.RequestLocal: {com.arsdigita.bebop.Form$2@750e30=}
com.arsdigita.cms.dispatcher.section:
[com.arsdigita.cms.ContentSection:{id=65}]
com.arsdigita.dispatcher.RequestContext:
com.arsdigita.sitenode.SiteNodeRequestContext@bf5743
com.arsdigita.dispatcher.RequestValue:
{com.arsdigita.dispatcher.RequestValue@15c1ae3=null}
com.arsdigita.web.BaseApplicationServlet.application_id: 65
com.arsdigita.web.BaseDispatcher.dispatched: true
com.arsdigita.web.BaseServlet.request_url:
/ccm/articles/admin/index.jsp?delay_hours=0&bbp.547.stack=555&bbp.781.d=asc&form.EditPhaseDefinition=visited&bbp.916.state=+91+&bbp.793.d=asc&bbp.18.state=+61+&bbp.605.col=4&bbp.3.pane=4&bbp.18.sel=61&bbp.916.sel=91&bbp.s=592&submit=%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0Edit+Phase%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0&bbp.681.stack=689&bbp.676.sel=119&duration_hours=&bbp.605.row=120&g11n.enc=UTF-8&delay_days=0&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1.1.1&duration_minutes=&bbp.68.ps=20&bbp.555.stack=592&label=Shrub&description=The+first+phase.+It+lasts+forever.&bbp.1020.d=asc&duration_days=&delay_minutes=0

-*-*-*- Section: Request summary -*-*-*-
Context path: 
Request URI: /ccm/articles/admin/index.jsp
Query string: null
Method: POST
Remote user: null

-*-*-*- Section: Cookies -*-*-*-
JSESSIONID: aTwbqxGrWpr6 (expires: -1)
ad_user_login: 275!1168883704602!3DakhaISpsG3PX/p5FZGVA== (expires: -1)
-*-*-*-*-*- End Error Report -*-*-*-*-*-
Comment 1 Jon Orris 2004-01-16 18:48:45 EST
Fixing the NPE is pretty trivial. It's this code in FormSecurityListener:

        if (m_item == null && sm.canAccess(user, m_action)) {
            return;
        }

        final ContentItem item = m_item.getContentItem(state);

        if (sm.canAccess(user, m_action, item)) {
            return;
        }

        throw new AccessDeniedException();

Changing to if(m_item == null) ... else ... will give us an
AccessDenied page instead of an error, at least.

Comment 2 Jon Orris 2004-01-26 10:26:42 EST
Fixed @39710. Note that this is only a partial fix for RC0, in that
the links still show up. Only the NPE is fixed, so that an 'Access
Denied' page is  presented.

Opened bug 114313 to track the links shown bug.


Note You need to log in before you can comment on or make changes to this bug.