Bug #436
closed
Bug of MetaCat in handling permission issue
Added by Jing Tao over 22 years ago.
Updated over 22 years ago.
Description
After login the metacat from that web page by using
"uid=tao,o=NCEAS,dc=ecoinformatics,dc=org" as username, the data packages were
gotten correctly. If delect the url and type
"dev.nceas.ucsb.edu/tao/servlet/metacat?action=read&docid=mike.4.12". Though
we are not the data package's owner, we can read the document in the browser
even the principal value in document access permission is not public.
It seems Metacat have some bug in access control in document level. For
exmaple, read the document directly.
In AccessControlList class, user, public and group will be put into a user
package. The permission for each element in this user package will be checked.
Owner has all permission. The other user will be look up into xml_access table.
In xml_access table, if there are several entries have ticket count to allow
rules for same user package. If that action, such as read, happened, the
ticket acount will be minus one for all entires. For example:
docid principal_name permission perm_type ticket_count
smith.23 public read allow 4
simth.23 mike read allow 3
After mike read docid smith.23 successfully one time, the ticket count for
public and mike will be 3 and 2.
In order to fix the bug, some classed in Morpho were used. We put morpho.jar
into lib. This is not good. We need to find more convenient way.
morpho jar file now is in the lib. Maybe will replace by source code lately.
Original Bugzilla ID was 436
Also available in: Atom
PDF