Details
-
Bug
-
Resolution: Fixed
-
Minor
-
2.1.4
-
None
Description
I haven't looked at where exactly this is being used, but I suppose this basically means that the non-batch methods allow READ if you have READ or ADMIN, while the batch ones allow it if you have READ or ADMIN or OPTIN or OPTOUT. It seems like another (minor) security bug and maybe worth changing now unless we think it will have a significant impact?
– Shilen
From: Chris Hyzer <mchyzer>
Date: Monday, August 5, 2013 8:30 AM
To: Shilen Patel <shilen>, "grouper-core" <grouper-core>
Subject: RE: [grouper-core] optin/optout gives read?
I knew that sounded familiar, should we change it in 2.1.5 or leave it?
From: Shilen Patel shilen
Sent: Sunday, August 04, 2013 7:04 PM
To: Chris Hyzer; grouper-core
Subject: Re: [grouper-core] optin/optout gives read?
Looks like that was removed from trunk in r8549. Hmm.
– Shilen
From: Chris Hyzer
Date: Sunday, August 4, 2013 5:45 PM
To: "grouper-core" <grouper-core>
Subject: [grouper-core] optin/optout gives read?
Im working on the stem/attrDef privs via WS memberships, and I see this:
publicstatic Set<Privilege> READ_PRIVILEGES = Collections.unmodifiableSet(
GrouperUtil.toSet(READ, ADMIN, OPTIN, OPTOUT));
Does that mean in some cases if someone has optin or optout they have READ??? hmmm. I think it was intended that the optin/optouts can read their own memberships, but I have a feeling in some circumstances it might be more than that… ugh.
Chris