Bug 39797 - Permissive instead of restrictive usecase policies
Summary: Permissive instead of restrictive usecase policies
Status: CLOSED FIXED
Alias: None
Product: Lenya
Classification: Unclassified
Component: Access Control (show other bugs)
Version: 2.0
Hardware: Other other
: P5 major
Target Milestone: 2.0
Assignee: Lenya Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-13 08:24 UTC by Andreas Hartmann
Modified: 2007-07-16 01:59 UTC (History)
0 users



Attachments
changes usecase authorization to deny-by-default (2.04 KB, patch)
2006-06-23 10:52 UTC, J
Details | Diff
this patch adds some policies to the default publication (5.82 KB, patch)
2006-06-23 10:57 UTC, J
Details | Diff
changed file location due to andreas' latest commit (2.05 KB, patch)
2006-06-23 13:52 UTC, J
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hartmann 2006-06-13 08:24:25 UTC
Doug Chestnut:

Currently usecases get restrictive with policies in usecase-policies.xml. 
Should we make usecase-policies.xml be permissive instead (only allow usecase
execution if a policy exists and the policy is met).  This would force us to
think about policies when creating new functionality.
Comment 1 J 2006-06-23 10:52:50 UTC
Created attachment 18513 [details]
changes usecase authorization to deny-by-default

see the next attachment for some boilerplate policies to make lenya usable
again.
Comment 2 J 2006-06-23 10:57:15 UTC
Created attachment 18514 [details]
this patch adds some policies to the default publication

warning: these policies will only make the site usable for *admins*. a lot more
policies are needed to enable reviewers and editors to do their work again, but
i'm waiting for some feedback first.
Comment 3 J 2006-06-23 10:59:50 UTC
i have raised the priority and severity for this bug, as the patch addresses a
number of security issues.

Comment 4 J 2006-06-23 13:52:46 UTC
Created attachment 18518 [details]
changed file location due to andreas' latest commit

chasing the berzerk patch-man all over svn. i'm only a hair's width behind and
closing in... :-D
(this change is needed to make the patch apply against
http://svn.apache.org/viewvc?rev=416708&view=rev)
Comment 5 Andreas Hartmann 2006-06-23 13:54:25 UTC
I added the functionality to the UsecaseAuthorizerImpl. The correct usecase
policies are not yet set.
Comment 6 J 2006-06-23 13:55:28 UTC
damn. he is too fast for me :-D
Comment 7 Andreas Hartmann 2006-06-23 13:56:42 UTC
BTW, thanks for the patch!
Unfortunately I saw it to late, but the changes are basically the same :)
Comment 8 Andreas Hartmann 2006-06-26 09:03:07 UTC
That's done. If you notice missing or wrong usecase policies, please complain on
dev@lenya.
Comment 9 Thorsten Scherler 2007-07-16 01:59:04 UTC
Renaming Lenya 1.4 to 2.0