Project

General

Profile

Bug #436

Bug of MetaCat in handling permission issue

Added by Jing Tao over 17 years ago. Updated over 17 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
metacat
Target version:
Start date:
02/22/2002
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
436

Description

After login the metacat from that web page by using
"uid=tao,o=NCEAS,dc=ecoinformatics,dc=org" as username, the data packages were
gotten correctly. If delect the url and type
"dev.nceas.ucsb.edu/tao/servlet/metacat?action=read&docid=mike.4.12". Though
we are not the data package's owner, we can read the document in the browser
even the principal value in document access permission is not public.

It seems Metacat have some bug in access control in document level. For
exmaple, read the document directly.


Related issues

Blocked by Metacat - Bug #411: package export featureResolved02/04/2002

History

#1 Updated by Jing Tao over 17 years ago

In AccessControlList class, user, public and group will be put into a user
package. The permission for each element in this user package will be checked.
Owner has all permission. The other user will be look up into xml_access table.

In xml_access table, if there are several entries have ticket count to allow
rules for same user package. If that action, such as read, happened, the
ticket acount will be minus one for all entires. For example:

docid principal_name permission perm_type ticket_count
smith.23 public read allow 4
simth.23 mike read allow 3

After mike read docid smith.23 successfully one time, the ticket count for
public and mike will be 3 and 2.

In order to fix the bug, some classed in Morpho were used. We put morpho.jar
into lib. This is not good. We need to find more convenient way.

#2 Updated by Jing Tao over 17 years ago

morpho jar file now is in the lib. Maybe will replace by source code lately.

#3 Updated by Redmine Admin over 6 years ago

Original Bugzilla ID was 436

Also available in: Atom PDF