|Title|Permissions in 2.2.33 can be fixed easily!
|Date|26-Sep-2005 05:46:06 EEST
|[Bug criticality]|MediumBug
|Browser version|Any
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|Tomcat
|Operating System|Any
|Java version|1.4.2

As documented, in 2.2.33 permissions are broken. Basically this is what happens :

- If a permission is set in LeftMenu or other default pages, this permissions are brought to each page. Infact the getHTML of the engine is called with a context and a page, but the permissions it parses ends up in the context page, and not in the page given, so if the context page is "Main" but the page actually rendering is the LeftMenu, leftmenu permissions are added in Main. This few lines fixes this problem :

    public String getHTML( WikiContext context, WikiPage page )
        String pagedata = null;
        pagedata = getPureText( page.getName(), page.getVersion() );

+++     WikiPage prepage = context.getPage(); // Takes the context page
+++     context.setPage(page);                // Puts the actual page in the context
        String res = textToHTML( context, pagedata );
+++     context.setPage(prepage);             // Resets the context page to what it was previously

        return res;


- When there is no permission for a principal, then the permission is searched for the groups the user is member of. The group principal is passed to the AclImpl class, and this class checks if there is a permission for this group. If there isn't, then it does the same thing, checking if the given principal is member of a group for which there is a permission ... but the principal IS a group, so on the isMember method an exception is thrown. This line fixes the problem :

(line 215 and following)
        //  In case both positive and negative permissions have been set, 
        //  we'll err for the negative by quitting immediately if we see
        //  a match.  For positive, we have to wait until here.

        if( posEntry ) return ALLOW;
+++     if (!(principal instanceof UserProfile)) return NONE;  // No need to search in groups, isMemeber will throw exception
        // System.out.println("-> groups");

- When the default permissions are set (in the page DefaultPermissions) they are not loaded properly by the PageAuthorizer. It uses the getAttribute method of WikiPage to retrieve a variable in which default permissions are stored, but actually attributes are not there until the page is parsed. So, the DefaultPermissions page must be fully parsed before asking for the variable. This is not a big performance problem since they are then cached. This lines in the method buildDefaultPermissions of PageAuthorizer fixes the problem :

        WikiPage defpage = m_engine.getPage( DEFAULT_PERMISSIONPAGE );

        if( defpage == null ) return;

+++     this.m_engine.getHTML(new WikiContext(this.m_engine, defpage),defpage);  // Parse the page before getting variables
        String defperms = (String)defpage.getAttribute( VAR_PERMISSIONS );

- With this fixes, i now have a 2.3.33 stable version with ACL permissions working. I think there could be another problem thought, default permissions are  checked only by user, and not by group, in the AuthorizationManager.checkPermission method. I know that the AclImpl.findPermission method does a per-group search somehow, but why is the page ACL searched both ways while the default one is not? I'll try to spot this out.


Thanks, but please be aware that the 2.2 auth system is not supported in any way.  You need to apply these patches yourself, as 2.3 already contains a far superior auth system.

-- JanneJalkanen