Bug 19411 - AccessDeniedException is thrown instead of ObjectNotFoundException
Summary: AccessDeniedException is thrown instead of ObjectNotFoundException
Status: NEW
Alias: None
Product: Slide
Classification: Unclassified
Component: WebDAV Server (show other bugs)
Version: 1.0.16 Stable
Hardware: Other other
: P3 normal (vote)
Target Milestone: ---
Assignee: Slide Developer List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-04-29 03:36 UTC by Willie Vu
Modified: 2004-11-16 19:05 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Willie Vu 2003-04-29 03:36:58 UTC 
I found a bug related to invalid object URL and permission setting.

Here is the scenario:

/                                [/users/root-/actions-inheritable]
/files/john/resources            [/users/john-/actions-inheritable]
/files/john/resources/folder1

Now, if I use structure helper to retrieve /files/john/resources/folder1 using
either root or john, it works as expected.  When I deliberately retrieves an
invalid node, say /files/john/resources/invalid-folder, root and john get
different exceptions.  For root, we get ObjectNotFoundException, as expected. 
For john, we get AccessDeniedException!!!

org.apache.slide.security.AccessDeniedException: Access denied on / by user
/users/john for action /actions/read
  at org.apache.slide.security.SecurityImpl.checkCredentials(SecurityImpl.java:389)
  at org.apache.slide.structure.StructureImpl.retrieve(StructureImpl.java:226)
  at org.apache.slide.structure.StructureImpl.retrieve(StructureImpl.java:170)


A workaround is to grant john /actions/read along /, /files, /john.  However, it
is very inconvenient as users in our system come and go.  Adding these extra
permissions are undesirable.