Bug 117600 - Folder Browser : missing permission checking on item link
Summary: Folder Browser : missing permission checking on item link
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: ui   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: ccm-bugs-list
QA Contact: Jon Orris
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: 108447
TreeView+ depends on / blocked
 
Reported: 2004-03-05 18:17 UTC by durnez
Modified: 2007-04-18 17:03 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-05 17:50:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description durnez 2004-03-05 18:17:29 UTC 
Description of problem:

When a user has zero right on items, he can nonetheless click on it
(FolderBrowser.java) and browse through all authoring steps, hence
seing the attribute values of the item he has no right on.

Which is not correct.

User should not be able to click on the items displayed in folder
browser (paginated display).


following method in FolderBrowser.java should be modified :
NameCellRenderer.getComponent(Table table, PageState state, Object
value, boolean isSelected, Object key, int row, int column) :

below is perforce associated changelist #41089 log :

@@ -259,10 +265,17 @@
                 return super.getComponent(table, state, name,
                                           isSelected, key, row, column);
             } else {
+                               // Add permission checking, based on
edit permission
+                               PrivilegeDescriptor editpriv =
PrivilegeDescriptor.get(SecurityManager.CMS_EDIT_ITEM);
+                               Folder folder = (Folder)
m_currentFolder.getSelectedObject(state);
+                               Party party  =
Kernel.getContext().getParty();
+                               boolean canedit =
PermissionService.checkPermission(new
PermissionDescriptor(editpriv,folder,party));
+                 ContentSection section =
CMS.getContext().getContentSection();                 BigDecimal id =
coll.getID(); 
-                if (section == null) {+                // Use
permission checking : do not display link if not editable.
+                if (section == null || !canedit) {
                     return new Label(name);
                 } else {
                     ItemResolver resolver = section.getItemResolver();



Question : is SecurityManager.CMS_EDIT_ITEM correct ?
should not we use SecurityManager.CMS_READ_ITEM ?
Comment 1 Scott Seago 2004-03-05 18:21:41 UTC 
We should either check on CMS_READ_ITEM or CMS_PREVIEW_ITEM -- users
shouldn't need edit permissions to view the item on the back end. In
particular, we need to filter on the same permission that back-end
search results are filtered on (assuming they're filtered currently)
Comment 2 Scott Seago 2004-03-05 18:35:57 UTC 
Actually, this should be a non-issue from a UI point of view.
Currently although item-level permissions are allowed by the API, the
UI only controls folder-level permissions. If you have no rights to
the items in the folder, you will also have no rights to the current
folder, so you shouldn't see that folder in the list. I know that, for
rickshaw at least, the filtering on folder-level permissions has been
done. I'm not sure if it's been propagated to 6.0, and I'm not sure if
the filtering included item-level permissions as well.
Comment 3 Scott Seago 2004-03-10 14:23:10 UTC 
See bug 111030 for the folder browser fix. it's currently on london
5.2 but not yet propagated to 6.0 or rickshaw.
Comment 4 Jon Orris 2006-09-05 17:50:20 UTC 
Closing old tickets
Note You need to log in before you can comment on or make changes to this bug.