Changeset 7205


Ignore:
Timestamp:
Oct 19, 2016, 8:46:15 AM (5 years ago)
Author:
Nicklas Nordborg
Message:

References #2033: Permissions for annotating items may be incorrectly implemented

Check for USE permission on the annotation type before creating, modifying or deleting an annotation.

Location:
trunk/src/core/net/sf/basedb/core
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/core/net/sf/basedb/core/Annotation.java

    r7120 r7205  
    195195    READ permission is granted if the logged in user has READ permission on
    196196    the associated item and annotation type. CREATE, WRITE and DELETE permissions
    197     are granted if the logged in user has WRITE permission on the associated item.
     197    are granted if the logged in user has WRITE permission on the associated item
     198    and USE permission on the annotation type. USE permission (needed for inheriting)
     199    is granted if the logged in user has USE permission on the associated item.
    198200  */
    199201  @Override
     
    202204  {
    203205    AnnotationSet as = getAnnotationSet();
     206    AnnotationType at = null;
    204207    if (!disableATPermissionCheck)
    205208    {
    206       AnnotationType at = getAnnotationType();
    207     }
    208     if (as.hasPermission(Permission.WRITE))
     209      at = getAnnotationType();
     210    }
     211    if (as.hasPermission(Permission.WRITE) && (at == null || at.hasPermission(Permission.USE)))
    209212    {
    210213      granted |= Permission.grant(Permission.CREATE, Permission.READ, Permission.WRITE, Permission.DELETE);
  • trunk/src/core/net/sf/basedb/core/AnnotationSet.java

    r7120 r7205  
    558558      // Create a new annotation
    559559      checkPermission(Permission.WRITE);
     560      annotationType.checkPermission(Permission.USE);
    560561      // AnnotatableProxy items allow annotations of all types
    561562      boolean isAnnotatableProxy = AnnotatableProxy.class.isAssignableFrom(getItemType().getItemClass());
     
    709710    checkPermission(Permission.WRITE);
    710711    if (annotationType == null) throw new InvalidUseOfNullException("annotationType");
     712    annotationType.checkPermission(Permission.USE);
    711713   
    712714    DbControl dc = getDbControl();
Note: See TracChangeset for help on using the changeset viewer.