Bug 98867 - Folder#getItems has bogus permissions filter
Folder#getItems has bogus permissions filter
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Justin Ross
Jon Orris
: Security
Depends On:
Blocks: rc0blockers
  Show dependency treegraph
Reported: 2003-07-09 13:41 EDT by Daniel Berrange
Modified: 2007-04-18 12:55 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-07-09 14:48:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2003-07-09 13:41:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The following code Folder#getItems is totally bogus & should be removed. I
believe it was accidentally introduced in the URL category browser merge - a
similar thing happened in London CMS 5.2. It has 4 problems:

* It totally kills performance of browsing a site with deep folder structure,
because it explicitly checking permissions at every level. 
* It is redundant because the Dispatcher already checks permissions
* It is redundant because the permissions context hierarchy represents the
hierarchical nature of permissions on folders already
* It can result in a situation where logged in users *can't* view items, where
as anonymous users can!l

        final KernelContext context = Kernel.getContext();

        // If the context is null then it is a cron job or an initializer,
        // so we do not want to restrict the permissions because there is
        // not a partyID to restrict them to (e.g., context.getParty() ==
        // null).
        if (context.getParty() != null) {
                (query, "item." + ACSObject.ID,

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Look in Folder.java to see if the code is still there

Additional info:
Comment 1 Richard Li 2003-07-09 14:48:36 EDT
p4 33405

Note You need to log in before you can comment on or make changes to this bug.