113706 – Edit, Delete phase links show up for user w/o perms, NPE if used.

Bug 113706 - Edit, Delete phase links show up for user w/o perms, NPE if used.

Summary: Edit, Delete phase links show up for user w/o perms, NPE if used.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Enterprise CMS
Classification:	Retired
Component:	other
Sub Component:
Version:	nightly
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jon Orris
QA Contact:	Jon Orris
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	106481
TreeView+	depends on / blocked

Reported:	2004-01-16 18:09 UTC by Jon Orris
Modified:	2007-04-18 17:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-01-26 15:26:42 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jon Orris 2004-01-16 18:09:44 UTC

@39414/Oracle
Under the 'Lifecyles' tab, the 'Edit Phase' and 'Delete Phase' links
show up for all users, even w/o Lifecycle admin permissions. If used &
follow-up forms submitted, an NPE results.

Description of problem:

-*-*-*-*-*- Begin Error Report -*-*-*-*-*-
-*-*-*- ACS Error Report Code: 172.16.64.111:1c2534f:fa1fd9a5a9 -*-*-*-
-*-*-*- Message 1: com.caucho.jsp.JspLineException: null -*-*-*-
-*-*-*- Message 2: java.lang.NullPointerException: null -*-*-*-

-*-*-*- Section: CCM User -*-*-*-
Party not logged in

-*-*-*- Section: System properties -*-*-*-
ccm.home: /var/ccm-devel/web/jorris/rickshaw
com.arsdigita.util.Assert.enabled: true
file.encoding: UTF-8
file.encoding.pkg: sun.io
file.separator: /
java.awt.graphicsenv: sun.awt.X11GraphicsEnvironment
java.awt.printerjob: sun.print.PSPrinterJob
java.class.path:
/home/boston/jorris/dev/lib/classes12.zip:/usr/share/java/junit.jar:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/oracle/product/9.2.0.1/jdbc/lib/classes12.zip:/opt/resin/2.1.4/lib/jaxp.jar:/opt/resin/2.1.4/lib/dom.jar:/opt/resin/2.1.4/lib/jdbc2_0-stdext.jar:/opt/resin/2.1.4/lib/jdbc-mysql.jar:/opt/resin/2.1.4/lib/jndi.jar:/opt/resin/2.1.4/lib/jmx.jar:/opt/resin/2.1.4/lib/jta-spec1_0_1.jar:/opt/resin/2.1.4/lib/resin.jar:/opt/resin/2.1.4/lib/sax.jar:/opt/resin/2.1.4/lib/webutil.jar:/usr/java/j2sdk1.4.2_03/lib/tools.jar:/usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/opt/resin/2.1.4/lib/jsdk23.jar
java.class.version: 48.0
java.endorsed.dirs: /usr/java/j2sdk1.4.2_03/jre/lib/endorsed
java.ext.dirs:
/usr/java/j2sdk1.4.2_03/jre/lib/ext:/usr/java/j2sdk1.4.2_03/lib/ext:/usr/share/ccm-tools/lib/security
java.home: /usr/java/j2sdk1.4.2_03/jre
java.io.tmpdir: /tmp
java.library.path:
/usr/java/j2sdk1.4.2_03/jre/lib/i386/client:/usr/java/j2sdk1.4.2_03/jre/lib/i386:/usr/java/j2sdk1.4.2_03/jre/../lib/i386:/opt/oracle/product/9.2.0.1/lib:/lib:/usr/lib:/usr/local/lib:libexec
java.naming.factory.initial: com.caucho.naming.InitialContextFactoryImpl
java.naming.factory.url.pkgs: com.caucho.naming
java.runtime.name: Java(TM) 2 Runtime Environment, Standard Edition
java.runtime.version: 1.4.2_03-b02
java.specification.name: Java Platform API Specification
java.specification.vendor: Sun Microsystems Inc.
java.specification.version: 1.4
java.util.prefs.PreferencesFactory:
java.util.prefs.FileSystemPreferencesFactory
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vendor.url.bug: http://java.sun.com/cgi-bin/bugreport.cgi
java.version: 1.4.2_03
java.vm.info: mixed mode
java.vm.name: Java HotSpot(TM) Client VM
java.vm.specification.name: Java Virtual Machine Specification
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.version: 1.0
java.vm.vendor: Sun Microsystems Inc.
java.vm.version: 1.4.2_03-b02
javax.xml.parsers.DocumentBuilderFactory:
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
javax.xml.parsers.SAXParserFactory:
org.apache.xerces.jaxp.SAXParserFactoryImpl
javax.xml.transform.TransformerFactory:
com.icl.saxon.TransformerFactoryImpl
line.separator: 

log4j.configuration:
file:///var/ccm-devel/web/jorris/rickshaw/conf/log4j.properties
os.arch: i386
os.name: Linux
os.version: 2.4.21-4.0.2.EL
path.separator: :
resin.home: /opt/resin/2.1.4
sun.arch.data.model: 32
sun.boot.class.path:
/usr/java/j2sdk1.4.2_03/jre/lib/rt.jar:/usr/java/j2sdk1.4.2_03/jre/lib/i18n.jar:/usr/java/j2sdk1.4.2_03/jre/lib/sunrsasign.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jsse.jar:/usr/java/j2sdk1.4.2_03/jre/lib/jce.jar:/usr/java/j2sdk1.4.2_03/jre/lib/charsets.jar:/usr/java/j2sdk1.4.2_03/jre/classes
sun.boot.library.path: /usr/java/j2sdk1.4.2_03/jre/lib/i386
sun.cpu.endian: little
sun.cpu.isalist: 
sun.io.unicode.encoding: UnicodeLittle
sun.java2d.fontpath: 
sun.os.patch.level: unknown
user.country: US
user.dir: /opt/resin/2.1.4
user.home: /home/boston/jorris
user.language: en
user.name: jorris
user.timezone: America/New_York
waf.workflow.simple.alerts_enabled: true

-*-*-*- Section: Stack trace -*-*-*-
java.lang.NullPointerException
	at
com.arsdigita.cms.ui.FormSecurityListener.submitted(FormSecurityListener.java:69)
	at com.arsdigita.bebop.FormSection.fireSubmitted(FormSection.java:197)
	at com.arsdigita.bebop.FormSection$1.submitted(FormSection.java:225)
	at com.arsdigita.bebop.FormModel.fireSubmitted(FormModel.java:391)
	at com.arsdigita.bebop.FormModel.process(FormModel.java:322)
	at com.arsdigita.bebop.Form.process(Form.java:440)
	at com.arsdigita.bebop.Form.respond(Form.java:281)
	at com.arsdigita.bebop.PageState.respond(PageState.java:367)
	at com.arsdigita.bebop.Page.process(Page.java:701)
	at com.arsdigita.bebop.Page.process(Page.java:683)
	at com.arsdigita.bebop.Page.buildDocument(Page.java:737)
	at com.arsdigita.cms.dispatcher.CMSPage$1.excurse(CMSPage.java:280)
	at com.arsdigita.cms.CMSExcursion$1.excurse(CMSExcursion.java:80)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.cms.CMSExcursion.run(CMSExcursion.java:75)
	at com.arsdigita.cms.dispatcher.CMSPage.dispatch(CMSPage.java:294)
	at
_packages._content_22dsection._www._admin._index__jsp._jspService(_index__jsp.java:50)
	at com.caucho.jsp.JavaPage.service(JavaPage.java:75)
	at com.caucho.jsp.Page.subservice(Page.java:485)
	at
com.caucho.server.http.FilterChainPage.doFilter(FilterChainPage.java:182)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardHelper(DispatcherHelper.java:193)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:222)
	at
com.arsdigita.dispatcher.DispatcherHelper.forwardRequestByPath(DispatcherHelper.java:235)
	at
com.arsdigita.cms.ContentSectionServlet.doService(ContentSectionServlet.java:136)
	at
com.arsdigita.web.BaseApplicationServlet$1.excurse(BaseApplicationServlet.java:111)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at
com.arsdigita.web.BaseApplicationServlet.doService(BaseApplicationServlet.java:105)
	at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147)
	at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
	at
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:213)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:100)
	at
com.caucho.server.http.QRequestDispatcher.forward(QRequestDispatcher.java:77)
	at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:201)
	at com.arsdigita.web.BaseDispatcher.forward(BaseDispatcher.java:185)
	at com.arsdigita.web.BaseDispatcher.dispatch(BaseDispatcher.java:132)
	at
com.arsdigita.web.DispatcherServlet.doService(DispatcherServlet.java:123)
	at com.arsdigita.web.BaseServlet$1.excurse(BaseServlet.java:176)
	at com.arsdigita.kernel.KernelExcursion.run(KernelExcursion.java:57)
	at com.arsdigita.web.BaseServlet.internalService(BaseServlet.java:147)
	at com.arsdigita.web.BaseServlet.doPost(BaseServlet.java:291)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
	at
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
	at com.caucho.server.http.Invocation.service(Invocation.java:312)
	at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:221)
	at
com.caucho.server.http.HttpRequest.handleConnection(HttpRequest.java:163)
	at com.caucho.server.TcpConnection.run(TcpConnection.java:137)
	at java.lang.Thread.run(Thread.java:534)


-*-*-*- Section: HTTP headers -*-*-*-
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Length: 536
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=aTwbqxGrWpr6;
ad_user_login=275!1168883704602!3DakhaISpsG3PX/p5FZGVA==
Host: goodeats:9004
Keep-Alive: 300
Referer:
http://goodeats:9004/ccm/articles/admin/index.jsp?bbp.18.state=+61+&bbp.916.sel=91&bbp.s=605&g11n.enc=UTF-8&bbp.916.state=+91+&bbp.793.d=asc&bbp.3.pane=4&bbp.676.sel=119&bbp.547.stack=555&bbp.781.d=asc&bbp.18.sel=61&bbp.v=120+4&bbp.e=cell&bbp.681.stack=689&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1&bbp.68.ps=20&bbp.1020.d=asc
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031110 Firebird/0.7

-*-*-*- Section: Servlet attributes -*-*-*-
com.arsdigita.bebop.PageState: com.arsdigita.bebop.PageState@1f9f538 = {
m_page = com.arsdigita.cms.ui.ContentSectionPage@f29c65,
m_request = com.caucho.server.http.DispatchRequest@1e85210,
m_response = com.caucho.server.http.HttpResponse@1523bd4,
m_pageState = com.arsdigita.bebop.FormData@1d5e94f = {
m_parameterDataValues = {bbp.767.c={null, []}, bbp.1096.sel={null,
[]}, bbp.605.col={4, []}, bbp.456.col={null, []}, bbp.62.srcs={null,
[]}, bbp.72.sel={null, []}, bbp.1146.sel={null, []},
bbp.391.sel={null, []}, bbp.27.bid={null, []}, bbp.466.col={null, []},
bbp.644.sel={null, []}, bbp.90.state={null, []}, bbp.19.ct={null, []},
bbp.91.sel={null, []}, bbp.502.sel={null, []}, bbp.1129.sel={null,
[]}, bbp.1075.sel={null, []}, bbp.456.row={null, []},
bbp.466.row={null, []}, bbp.726.sel={null, []}, bbp.710.sel={null,
[]}, bbp.888.sel={null, []}, bbp.74.col={null, []}, bbp.761.pl={null,
[]}, bbp.1020.col={null, []}, bbp.1020.o={null, []}, page={null, []},
bbp.781.col={null, []}, bbp.49.fldr={null, []}, bbp.137.col={null,
[]}, bbp.749.ch={null, []}, bbp.781.m={null, []}, bbp.1118.sel={null,
[]}, bbp.18.state={ 61 , []}, bbp.916.sel={91, []},
bbp.927.stack={null, []}, bbp.1020.mid={null, []}, bbp.s={592, []},
bbp.74.row={null, []}, query={null, []}, bbp.379.sel={null, []},
bbp.605.row={120, []}, bbp.221.stack={null, []}, bbp.137.row={null,
[]}, g11n.enc={UTF-8, []}, bbp.403.sel={null, []}, bbp.1006.col={null,
[]}, bbp.62.act={null, []}, bbp.814.col={null, []}, bbp.828.col={null,
[]}, bbp.374.stack={null, []}, bbp.858.col={null, []},
bbp.689.stack={null, []}, bbp.226.sel={null, []}, bbp.781.o={null,
[]}, bbp.63.target={null, []}, single_type={null, []},
bbp.120.row={null, []}, bbp.518.sel={null, []}, bbp.916.state={ 91 ,
[]}, bbp.793.d={asc, []}, bbp.3.pane={4, []}, bbp.1142.sel={null, []},
bbp.355.sel={null, []}, bbp.1006.row={null, []}, bbp.120.col={null,
[]}, bbp.212.stack={null, []}, bbp.290.row={null, []},
bbp.254.sel={null, []}, bbp.560.sel={null, []}, bbp.793.col={null,
[]}, bbp.34.fldr={null, []}, bbp.676.sel={119, []},
bbp.410.stack={null, []}, bbp.1062.sel={null, []}, bbp.584.sel={null,
[]}, bbp.793.o={null, []}, bbp.1045.sel={null, []}, bbp.425.col={null,
[]}, bbp.83.sel={null, []}, bbp.534.sel={null, []},
bbp.1107.sel={null, []}, bbp.170.col={null, []}, bbp.170.row={null,
[]}, bbp.555.stack={[Ljava.lang.Integer;@c85c1f, []},
bbp.27.iid={null, []}, bbp.240.sel={null, []}, bbp.618.sel={null, []},
privs_set={null, []}, bbp.694.sel={null, []},
bbp.547.stack={[Ljava.lang.Integer;@180809, []}, bbp.781.d={asc, []},
bbp.542.sel={null, []}, bbp.18.sel={61, []}, bbp.572.sel={null, []},
bbp.767.t={null, []}, bbp.v={null, []}, bbp.e={null, []},
bbp.366.stack={null, []}, bbp.425.row={null, []},
bbp.681.stack={[Ljava.lang.Integer;@1b7a8c5, []}, bbp.793.mid={null,
[]}, bbp.300.row={null, []}, bbp.300.col={null, []},
bbp.290.col={null, []}, bbp.858.row={null, []}, bbp.814.row={null,
[]}, bbp.978.sel={null, []}, bbp.i={{4, 8, 96, 106, 555, 590, 592},
[]}, bbp.333.sel={null, []}, bbp.828.row={null, []}, bbp.68.ps={20,
[]}, bbp.919.stack={null, []}, bbp.755.sc={null, []}, bbp.1020.d={asc,
[]}, bbp.949.sel={null, []}, bbp.268.sel={null, []},
bbp.311.sel={null, []}},
m_formErrors = null,
m_model = com.arsdigita.bebop.FormModel@a93a16,
m_locale = en_US,
m_isTransformed = true,
m_isValid = true,
m_isSubmission = true
},
m_attributes = null,
,
m_grabbingComponent = null,
m_invisible = {4, 5, 6, 7, 9, 10, 20, 21, 22, 23, 63, 69, 96, 106,
114, 115, 116, 169, 202, 213, 214, 215, 216, 217, 218, 219, 220, 221,
273, 274, 275, 276, 277, 278, 367, 368, 369, 370, 371, 372, 373, 374,
408, 409, 410, 411, 412, 413, 433, 434, 435, 436, 548, 549, 550, 551,
552, 553, 554, 589, 591, 593, 682, 683, 684, 685, 686, 687, 688, 689,
731, 732, 733, 734, 735, 768, 808, 809, 810, 857, 920, 921, 922, 923,
924, 925, 926, 927, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992}
}
com.arsdigita.bebop.RequestLocal: {com.arsdigita.bebop.Form$2@750e30=}
com.arsdigita.cms.dispatcher.section:
[com.arsdigita.cms.ContentSection:{id=65}]
com.arsdigita.dispatcher.RequestContext:
com.arsdigita.sitenode.SiteNodeRequestContext@bf5743
com.arsdigita.dispatcher.RequestValue:
{com.arsdigita.dispatcher.RequestValue@15c1ae3=null}
com.arsdigita.web.BaseApplicationServlet.application_id: 65
com.arsdigita.web.BaseDispatcher.dispatched: true
com.arsdigita.web.BaseServlet.request_url:
/ccm/articles/admin/index.jsp?delay_hours=0&bbp.547.stack=555&bbp.781.d=asc&form.EditPhaseDefinition=visited&bbp.916.state=+91+&bbp.793.d=asc&bbp.18.state=+61+&bbp.605.col=4&bbp.3.pane=4&bbp.18.sel=61&bbp.916.sel=91&bbp.s=592&submit=%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0Edit+Phase%C3%82%C2%A0%C3%82%C2%A0%C3%82%C2%A0&bbp.681.stack=689&bbp.676.sel=119&duration_hours=&bbp.605.row=120&g11n.enc=UTF-8&delay_days=0&bbp.i=d0.4.1.3.1.2f.1.9.1.cg.1.y.1.1.1&duration_minutes=&bbp.68.ps=20&bbp.555.stack=592&label=Shrub&description=The+first+phase.+It+lasts+forever.&bbp.1020.d=asc&duration_days=&delay_minutes=0

-*-*-*- Section: Request summary -*-*-*-
Context path: 
Request URI: /ccm/articles/admin/index.jsp
Query string: null
Method: POST
Remote user: null

-*-*-*- Section: Cookies -*-*-*-
JSESSIONID: aTwbqxGrWpr6 (expires: -1)
ad_user_login: 275!1168883704602!3DakhaISpsG3PX/p5FZGVA== (expires: -1)
-*-*-*-*-*- End Error Report -*-*-*-*-*-

Comment 1 Jon Orris 2004-01-16 23:48:45 UTC

Fixing the NPE is pretty trivial. It's this code in FormSecurityListener:

        if (m_item == null && sm.canAccess(user, m_action)) {
            return;
        }

        final ContentItem item = m_item.getContentItem(state);

        if (sm.canAccess(user, m_action, item)) {
            return;
        }

        throw new AccessDeniedException();

Changing to if(m_item == null) ... else ... will give us an
AccessDenied page instead of an error, at least.

Comment 2 Jon Orris 2004-01-26 15:26:42 UTC

Fixed @39710. Note that this is only a partial fix for RC0, in that
the links still show up. Only the NPE is fixed, so that an 'Access
Denied' page is  presented.

Opened bug 114313 to track the links shown bug.

Note You need to log in before you can comment on or make changes to this bug.