Changeset 7944 for branches/3.18-stable


Ignore:
Timestamp:
May 6, 2021, 10:51:19 AM (6 weeks ago)
Author:
Nicklas Nordborg
Message:

Fixes #2249: View Sessions and View Devices fail to display anything

The problem was that the "Owned by others" option had been enabled when the "Administrator" role was active. Then, when de-activating the "Administrator" role, the permission system notices that the user lacks the "Owned by others" permissions and applies a "denyAll" filter. The reason for this is that there is no "owned by me" filter defined for Session and Device items, so this is added to HibernateUtil.addFilterConditions(). Also realized that the Messages item has a similar underlying problem (except that it can never be triggered from the GUI since there is no "Owned by others" option for administrators to view messages for other users). To make everything work a QueryRuntimeFilter implementation is needed for Sessions, Devices and Messages.

Location:
branches/3.18-stable
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/3.18-stable/src/core/net/sf/basedb/core/HibernateUtil.java

    r7853 r7944  
    2929import net.sf.basedb.core.data.MessageData;
    3030import net.sf.basedb.core.data.RemovableData;
     31import net.sf.basedb.core.data.SessionData;
    3132import net.sf.basedb.core.data.OwnableData;
    3233import net.sf.basedb.core.data.ShareableData;
     
    3435import net.sf.basedb.core.data.NewsData;
    3536import net.sf.basedb.core.data.UserData;
     37import net.sf.basedb.core.data.UserDeviceData;
    3638import net.sf.basedb.core.dbengine.DbEngine;
    3739import net.sf.basedb.core.dbengine.EngineFactory;
     
    572574        defineFilter(classTag, itemType, "ownedBy", ":owner = `to_user_id`", filterConfig);
    573575        defineFilter(classTag, itemType, "ownedOrRemovedBy", "(:user = `to_user_id` OR :user = `removed_by`)", filterConfig);
     576      }
     577      if (SessionData.class.isAssignableFrom(c))
     578      {
     579        log.info("Adding 'ownedBy' filter to " + c.getName());
     580        defineFilter(classTag, itemType, "ownedBy", ":owner = `user_id`", filterConfig);
     581      }
     582      if (UserDeviceData.class.isAssignableFrom(c))
     583      {
     584        log.info("Adding 'ownedBy' filter to " + c.getName());
     585        defineFilter(classTag, itemType, "ownedBy", ":owner = `user_id`", filterConfig);
    574586      }
    575587      if (AnnotationData.class.isAssignableFrom(c))
  • branches/3.18-stable/src/core/net/sf/basedb/core/Message.java

    r7738 r7944  
    2828import net.sf.basedb.core.hibernate.TypeWrapper;
    2929import net.sf.basedb.core.query.Restrictions;
     30import net.sf.basedb.core.query.EntityQuery;
    3031import net.sf.basedb.core.query.Hql;
    3132import net.sf.basedb.util.EmailUtil;
     
    5657  */
    5758  public static final Item TYPE = Item.MESSAGE;
     59
     60  /**
     61    This filter will limit a query to only return messages
     62    for the logged in user unless the logged in user has generic
     63    read permission.
     64  */
     65  private static final QueryRuntimeFilter RUNTIME_FILTER = new QueryRuntimeFilterImpl();
    5866
    5967  /**
     
    165173  public static ItemQuery<Message> getQuery(User user)
    166174  {
    167     ItemQuery<Message> query = null;
    168    
     175    ItemQuery<Message> query = new ItemQuery<Message>(Message.class, RUNTIME_FILTER);
    169176    if (user != null)
    170177    {
    171       query = new ItemQuery<Message>(Message.class, null);
    172178      query.restrictPermanent(
    173179        Restrictions.eq(
     
    176182        )
    177183      );
    178     }
    179     else
    180     {
    181       query = new ItemQuery<Message>(Message.class);
    182184    }
    183185    return query;
     
    468470  }
    469471 
     472  /**
     473    A runtime filter implementation that limits a query to only
     474    return messages for the currently logged in user unless the logged
     475    in user has generic read permission.
     476  */
     477  private static class QueryRuntimeFilterImpl
     478    implements QueryRuntimeFilter
     479  {
     480    @Override
     481    public void enableFilters(QueryRuntimeFilterManager manager, EntityQuery query, DbControl dc)
     482    {
     483      SessionControl sc = dc.getSessionControl();
     484      if (sc.isDenied(query.getItemPermission(), query.getItemType()) || !sc.isLoggedIn())
     485      {
     486        manager.enableFilter("denyAll");
     487      }
     488      else if (query.isIncluded(Include.OTHERS) &&
     489        sc.hasPermission(query.getItemPermission(), query.getItemType()))
     490      {
     491        // Logged in user has generic permission and wants other user's items... --> no filter
     492      }
     493      else
     494      {
     495        // Load sessions for the logged in user
     496        org.hibernate.Filter filter = manager.enableFilter("ownedBy");
     497        if (filter != null)
     498        {
     499          filter.setParameter("owner", sc.getLoggedInUserId());
     500        }
     501      }
     502    }
     503  }
     504
    470505}
  • branches/3.18-stable/src/core/net/sf/basedb/core/Session.java

    r7900 r7944  
    2626import net.sf.basedb.core.hibernate.TypeWrapper;
    2727import net.sf.basedb.core.query.Restrictions;
     28import net.sf.basedb.core.query.EntityQuery;
    2829import net.sf.basedb.core.query.Hql;
    2930
     
    4950  */
    5051  public static final Item TYPE = Item.SESSION;
     52
     53  /**
     54    This filter will limit a query to only return sessions
     55    for the logged in user unless the logged in user has generic
     56    read permission.
     57  */
     58  private static final QueryRuntimeFilter RUNTIME_FILTER = new QueryRuntimeFilterImpl();
    5159
    5260  /**
     
    7482    Get a query configured to retrieve sessions for the specified user.
    7583   
    76     @param user The user to retreive sessions for, null is allowed if
    77       the logged in user has generic READ permission for sessions in which case
    78       all sessions will be returned
     84    @param user The user to retreive sessions for or null to load all
     85      sessions.
    7986    @return An {@link ItemQuery} object
    8087  */
    8188  public static ItemQuery<Session> getQuery(User user)
    8289  {
    83     ItemQuery<Session> query = null;
    84    
     90    ItemQuery<Session> query = new ItemQuery<Session>(Session.class, RUNTIME_FILTER);;
    8591    if (user != null)
    8692    {
    87       query = new ItemQuery<Session>(Session.class, null);
    8893      query.restrictPermanent(
    8994        Restrictions.eq(
     
    9297        )
    9398      );
    94     }
    95     else
    96     {
    97       query = new ItemQuery<Session>(Session.class);
    9899    }
    99100    return query;
     
    307308    return getData().getAuthenticationMethod();
    308309  }
     310 
     311  /**
     312    A runtime filter implementation that limits a query to only
     313    return sessions for the currently logged in user unless the logged
     314    in user has generic read permission.
     315  */
     316  private static class QueryRuntimeFilterImpl
     317    implements QueryRuntimeFilter
     318  {
     319    @Override
     320    public void enableFilters(QueryRuntimeFilterManager manager, EntityQuery query, DbControl dc)
     321    {
     322      SessionControl sc = dc.getSessionControl();
     323      if (sc.isDenied(query.getItemPermission(), query.getItemType()) || !sc.isLoggedIn())
     324      {
     325        manager.enableFilter("denyAll");
     326      }
     327      else if (query.isIncluded(Include.OTHERS) &&
     328        sc.hasPermission(query.getItemPermission(), query.getItemType()))
     329      {
     330        // Logged in user has generic permission and wants other user's items... --> no filter
     331      }
     332      else
     333      {
     334        // Load sessions for the logged in user
     335        org.hibernate.Filter filter = manager.enableFilter("ownedBy");
     336        if (filter != null)
     337        {
     338          filter.setParameter("owner", sc.getLoggedInUserId());
     339        }
     340      }
     341    }
     342  }
     343
    309344}
    310345
  • branches/3.18-stable/src/core/net/sf/basedb/core/UserDevice.java

    r7818 r7944  
    2424import net.sf.basedb.core.data.UserDeviceData;
    2525import net.sf.basedb.core.query.Restrictions;
     26import net.sf.basedb.core.query.EntityQuery;
    2627import net.sf.basedb.core.query.Hql;
    2728
     
    4748
    4849  /**
     50    This filter will limit a query to only return devices
     51    for the logged in user unless the logged in user has generic
     52    read permission.
     53  */
     54  private static final QueryRuntimeFilter RUNTIME_FILTER = new QueryRuntimeFilterImpl();
     55
     56  /**
    4957    Get a <code>UserDevice</code> item when you know the ID.
    5058
     
    7280  public static ItemQuery<UserDevice> getQuery(User user)
    7381  {
    74     ItemQuery<UserDevice> query = null;
    75    
     82    ItemQuery<UserDevice> query = new ItemQuery<UserDevice>(UserDevice.class, RUNTIME_FILTER);
    7683    if (user != null)
    7784    {
    78       query = new ItemQuery<UserDevice>(UserDevice.class, null);
    7985      query.restrictPermanent(
    8086        Restrictions.eq(
     
    8490      );
    8591    }
    86     else
    87     {
    88       query = new ItemQuery<UserDevice>(UserDevice.class);
    89     }
    9092    return query;
    9193  }
     
    283285  }
    284286 
     287  /**
     288    A runtime filter implementation that limits a query to only
     289    return devices for the currently logged in user unless the logged
     290    in user has generic read permission.
     291  */
     292  private static class QueryRuntimeFilterImpl
     293    implements QueryRuntimeFilter
     294  {
     295    @Override
     296    public void enableFilters(QueryRuntimeFilterManager manager, EntityQuery query, DbControl dc)
     297    {
     298      SessionControl sc = dc.getSessionControl();
     299      if (sc.isDenied(query.getItemPermission(), query.getItemType()) || !sc.isLoggedIn())
     300      {
     301        manager.enableFilter("denyAll");
     302      }
     303      else if (query.isIncluded(Include.OTHERS) &&
     304        sc.hasPermission(query.getItemPermission(), query.getItemType()))
     305      {
     306        // Logged in user has generic permission and wants other user's items... --> no filter
     307      }
     308      else
     309      {
     310        // Load sessions for the logged in user
     311        org.hibernate.Filter filter = manager.enableFilter("ownedBy");
     312        if (filter != null)
     313        {
     314          filter.setParameter("owner", sc.getLoggedInUserId());
     315        }
     316      }
     317    }
     318  }
     319
    285320}
    286321
  • branches/3.18-stable/www/views/devices/list_devices.jsp

    r7938 r7944  
    7979try
    8080{
    81   final User user = cc.getInclude().contains(Include.OTHERS) ?
    82     null : User.getById(dc, sc.getLoggedInUserId());
     81  final User user = User.getById(dc, sc.getLoggedInUserId());
    8382
    8483  Formatter<Date> dateFormatter = FormatterFactory.getDateFormatter(sc);
     
    8887  try
    8988  {
    90     final ItemQuery<UserDevice> query = Base.getConfiguredQuery(dc, cc, jspContext, true, UserDevice.getQuery(user), mode);
     89    final ItemQuery<UserDevice> query = Base.getConfiguredQuery(dc, cc, jspContext, true, UserDevice.getQuery(null), mode);
    9190    devices = query.iterate(dc);
    9291  }
  • branches/3.18-stable/www/views/sessions/list_sessions.jsp

    r7938 r7944  
    9191  try
    9292  {
    93     final ItemQuery<Session> query = Base.getConfiguredQuery(dc, cc, jspContext, true, Session.getQuery(cc.getInclude().contains(Include.OTHERS) ? null : user), mode);
     93    final ItemQuery<Session> query = Base.getConfiguredQuery(dc, cc, jspContext, true, Session.getQuery(null), mode);
     94    cc.setMessage(query.toQl(dc));
    9495    sessions = query.iterate(dc);
    9596  }
Note: See TracChangeset for help on using the changeset viewer.