Bug 117600 - Folder Browser : missing permission checking on item link
Folder Browser : missing permission checking on item link
Product: Red Hat Enterprise CMS
Classification: Retired
Component: ui (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: ccm-bugs-list
Jon Orris
: Security
Depends On:
Blocks: 108447
  Show dependency treegraph
Reported: 2004-03-05 13:17 EST by durnez
Modified: 2007-04-18 13:03 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-05 13:50:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description durnez 2004-03-05 13:17:29 EST
Description of problem:

When a user has zero right on items, he can nonetheless click on it
(FolderBrowser.java) and browse through all authoring steps, hence
seing the attribute values of the item he has no right on.

Which is not correct.

User should not be able to click on the items displayed in folder
browser (paginated display).

following method in FolderBrowser.java should be modified :
NameCellRenderer.getComponent(Table table, PageState state, Object
value, boolean isSelected, Object key, int row, int column) :

below is perforce associated changelist #41089 log :

@@ -259,10 +265,17 @@
                 return super.getComponent(table, state, name,
                                           isSelected, key, row, column);
             } else {
+                               // Add permission checking, based on
edit permission
+                               PrivilegeDescriptor editpriv =
+                               Folder folder = (Folder)
+                               Party party  =
+                               boolean canedit =
+                 ContentSection section =
CMS.getContext().getContentSection();                 BigDecimal id =
-                if (section == null) {+                // Use
permission checking : do not display link if not editable.
+                if (section == null || !canedit) {
                     return new Label(name);
                 } else {
                     ItemResolver resolver = section.getItemResolver();

Question : is SecurityManager.CMS_EDIT_ITEM correct ?
should not we use SecurityManager.CMS_READ_ITEM ?
Comment 1 Scott Seago 2004-03-05 13:21:41 EST
We should either check on CMS_READ_ITEM or CMS_PREVIEW_ITEM -- users
shouldn't need edit permissions to view the item on the back end. In
particular, we need to filter on the same permission that back-end
search results are filtered on (assuming they're filtered currently)
Comment 2 Scott Seago 2004-03-05 13:35:57 EST
Actually, this should be a non-issue from a UI point of view.
Currently although item-level permissions are allowed by the API, the
UI only controls folder-level permissions. If you have no rights to
the items in the folder, you will also have no rights to the current
folder, so you shouldn't see that folder in the list. I know that, for
rickshaw at least, the filtering on folder-level permissions has been
done. I'm not sure if it's been propagated to 6.0, and I'm not sure if
the filtering included item-level permissions as well.
Comment 3 Scott Seago 2004-03-10 09:23:10 EST
See bug 111030 for the folder browser fix. it's currently on london
5.2 but not yet propagated to 6.0 or rickshaw.
Comment 4 Jon Orris 2006-09-05 13:50:20 EDT
Closing old tickets

Note You need to log in before you can comment on or make changes to this bug.