the UserPrivledgeException should be thrown inside the ModelWrapper (if it
silently fails then it should be added to checking in ModelWrapper)
On Mon, May 23, 2011 at 8:33 PM, Matt Giuca <email address hidden>wrote:
> Hang on. Did you read the other thread? Your code above has removed the
> exception throw -- that is bad. It's still secure, but it fails silently
> (it reports success and only when you refresh do you realise that it
> didn't write).
>
> Actually ... at the moment, for editing Game objects, you DO get an
> error if you are a non-admin trying to write to it, but it is completely
> unrelated to this bug. (GRR!!!!!) I am about to file ANOTHER bug on that
> one (which I can fix, but it's probably quite widespread. Wait till you
> see it.)
>
> --
> You received this bug notification because you are subscribed to MUGLE.
> https://bugs.launchpad.net/bugs/786904
>
> Title:
> checkPermissions only lets admins write
>
> Status in Melbourne University Game-based Learning Environment:
> New
>
> Bug description:
> It's hard to demonstrate at the moment, but I believe that
> checkPermissions in all of the *ServiceImpl classes, except for
> UserService, will prevent non-admins from writing to objects, even if
> they own them.
>
> This is because all of the checks check the current user's key against
> the object in question's key (which obviously never match), and set it
> to private if they match, public otherwise. This means it will ALWAYS
> result in the public interface. Admins can still write to such an
> interface, but nobody else can.
>
> Therefore, each ServiceImpl class needs that logic to change to a real
> check to see whether the user owns that object (which is usually going
> to be the same condition as the exception check above).
>
the UserPrivledgeEx ception should be thrown inside the ModelWrapper (if it
silently fails then it should be added to checking in ModelWrapper)
On Mon, May 23, 2011 at 8:33 PM, Matt Giuca <email address hidden>wrote:
> Hang on. Did you read the other thread? Your code above has removed the /bugs.launchpad .net/bugs/ 786904
> exception throw -- that is bad. It's still secure, but it fails silently
> (it reports success and only when you refresh do you realise that it
> didn't write).
>
> Actually ... at the moment, for editing Game objects, you DO get an
> error if you are a non-admin trying to write to it, but it is completely
> unrelated to this bug. (GRR!!!!!) I am about to file ANOTHER bug on that
> one (which I can fix, but it's probably quite widespread. Wait till you
> see it.)
>
> --
> You received this bug notification because you are subscribed to MUGLE.
> https:/
>
> Title:
> checkPermissions only lets admins write
>
> Status in Melbourne University Game-based Learning Environment:
> New
>
> Bug description:
> It's hard to demonstrate at the moment, but I believe that
> checkPermissions in all of the *ServiceImpl classes, except for
> UserService, will prevent non-admins from writing to objects, even if
> they own them.
>
> This is because all of the checks check the current user's key against
> the object in question's key (which obviously never match), and set it
> to private if they match, public otherwise. This means it will ALWAYS
> result in the public interface. Admins can still write to such an
> interface, but nobody else can.
>
> Therefore, each ServiceImpl class needs that logic to change to a real
> check to see whether the user owns that object (which is usually going
> to be the same condition as the exception check above).
>