Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
Description
With subject filtering, an issue was noticed where if privileged and non-privileged users were both viewing the same subject at around the same time, the non-privileged user would be able to see the hidden data. It’s not an issue on all screens but some of them like the group audit screen. It seems to happen because the Member object can get cached in Hib3MemberDAO and the Member object caches the Subject. So for example:
groovy:000> GrouperSession.startRootSession()
===> 39a315abb591403eb02c65214872cafa,'GrouperSystem','application'
groovy:000> MemberFinder.findByUuid(GrouperSession.staticGrouperSession(), "4d57f835c4464031ad74f0cfe88ff26f", false).getSubject().getName()
===> Hidden name is shown (correct)
groovy:000> GrouperSession.start(findSubject("unprivileged_user"))
===> 3540b6afd9ae4137831c22280d17140c,'unprivileged_user','person'
groovy:000> MemberFinder.findByUuid(GrouperSession.staticGrouperSession(), "4d57f835c4464031ad74f0cfe88ff26f", false).getSubject().getName()
===> Hidden name is shown (incorrect) – cached copies of Member and Subject were used.
<wait a while for cache to clear>
groovy:000> MemberFinder.findByUuid(GrouperSession.staticGrouperSession(), "4d57f835c4464031ad74f0cfe88ff26f", false).getSubject().getName()
===> Hidden name is not shown (correct)