How reproducible: always Steps to Reproduce: 1. Create a user without any roles. 2. Log in 2. call ResourceManager.getResource(0) Actual results: ResourceNotFoundException: A Resource with id 0 does not exist in inventory Expected results: PermissionException Additional info:
Created attachment 579849 [details] test case
triaged 4/30/2012 by loleary, ccrouch, mfoley
Suggest this be closed, it's working as expected. It is not a permission exception to try and view a resource. Everyone has view privilege. If you can't actually see it then it is basically a ResourceNotFound, whether it exists or not.
While I tend to close this, I can see Viet's point. This is with a user that only has access rights to a group of 2 resources: test@localhost:7080$ ResourceManager.getResource(0) org.rhq.enterprise.server.resource.ResourceNotFoundException: [Warning] A Resource with id 0 does not exist in inventory. ResourceManager.getResource(0) ^ test@localhost:7080$ ResourceManager.getResource(10001) org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=test]] does not have permission to view resource [10001] ResourceManager.getResource(10001) ^ Here resource with id 0 does not exist, while the user can't access the one with 10001. In scenarios like username/password, the rule is e.g. not to expose information on login failure if the username is valid or not, so that than attacker can't use that information to narrow the attack path. In above example, we might internally catch the PermissionException and return a ResourceNotFound one. But then that will probably break existing scripts.
I see the semantic difference as well. Although given that this is not a customer issue and changing the behavior could be interpreted as an API breakage, I'm closing as Won't Fix.