Bug 98867 - Folder#getItems has bogus permissions filter
Summary: Folder#getItems has bogus permissions filter
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other
Version: nightly
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Justin Ross
QA Contact: Jon Orris
Depends On:
Blocks: rc0blockers
TreeView+ depends on / blocked
Reported: 2003-07-09 17:41 UTC by Daniel Berrangé
Modified: 2007-04-18 16:55 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-07-09 18:48:36 UTC

Attachments (Terms of Use)

Description Daniel Berrangé 2003-07-09 17:41:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The following code Folder#getItems is totally bogus & should be removed. I
believe it was accidentally introduced in the URL category browser merge - a
similar thing happened in London CMS 5.2. It has 4 problems:

* It totally kills performance of browsing a site with deep folder structure,
because it explicitly checking permissions at every level. 
* It is redundant because the Dispatcher already checks permissions
* It is redundant because the permissions context hierarchy represents the
hierarchical nature of permissions on folders already
* It can result in a situation where logged in users *can't* view items, where
as anonymous users can!l

        final KernelContext context = Kernel.getContext();

        // If the context is null then it is a cron job or an initializer,
        // so we do not want to restrict the permissions because there is
        // not a partyID to restrict them to (e.g., context.getParty() ==
        // null).
        if (context.getParty() != null) {
                (query, "item." + ACSObject.ID,

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Look in Folder.java to see if the code is still there

Additional info:

Comment 1 Richard Li 2003-07-09 18:48:36 UTC
p4 33405

Note You need to log in before you can comment on or make changes to this bug.