Project

General

Profile

Actions
Copy link

bug #6886

closed

Entity creation for users having only CREATE may fail in long running conversations

Added by Andreas Kohlbecker over 6 years ago. Updated over 6 years ago.

Status:
Duplicate
Priority:
New
Assignee:
Andreas Müller
Category:
cdmlib
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Severity:
normal
Found in Version:
Tags:
security

Description

I observed the following problems while implementing the ExtendedCreatePermissionManager for #6867

when this sequence is used (snipped from CdmStore.java):


T mergedBean = mergedBean(bean);
repo.getCommonService().save(mergedBean);
session.flush();

the flush causes the bean being saved a second time, since hibernate assumes that the entity is dirty and schedules a save operation. For this save the user would need the UPDATE permission, and the save operation fails.

Related issues

Related to EDIT - feature request #4305: newly created entities must stay editable even if a user only has the permission to create themIn ProgressAndreas Kohlbecker

Actions
Related to EDIT - feature request #6867: explicitely assign and revoke UPDATE & DELETE permission per enitity in the registration workflow ClosedAndreas Kohlbecker

Actions
Related to EDIT - bug #6885: UserService.loadUserByUsername() cannot find user in long running sessionNewAndreas Müller

Actions
Is duplicate of EDIT - bug #7021: CREATE permission not sufficient to save new TaxonName entityResolvedAndreas Müller

Actions
Actions
Copy link
 #1

Updated by Andreas Kohlbecker over 6 years ago

  • Subject changed from entity creation for users havon only CRATE may fail in long running conversations to entity creation for users havon only CREATE may fail in long running conversations
Actions
Copy link
 #2

Updated by Andreas Kohlbecker over 6 years ago

  • Related to feature request #4305: newly created entities must stay editable even if a user only has the permission to create them added
Actions
Copy link
 #3

Updated by Andreas Kohlbecker over 6 years ago

  • Related to feature request #6867: explicitely assign and revoke UPDATE & DELETE permission per enitity in the registration workflow added
Actions
Copy link
 #4

Updated by Andreas Müller over 6 years ago

  • Subject changed from entity creation for users havon only CREATE may fail in long running conversations to Entity creation for users having only CREATE may fail in long running conversations
Actions
Copy link
 #5

Updated by Andreas Kohlbecker over 6 years ago

  • Description updated (diff)
Actions
Copy link
 #6

Updated by Andreas Kohlbecker over 6 years ago

I attempted to write a test to reproduce this issue but had other problems which prevented me from completing this test class.

Actions
Copy link
 #7

Updated by Andreas Kohlbecker over 6 years ago

  • Related to bug #6885: UserService.loadUserByUsername() cannot find user in long running session added
Actions
Copy link
 #8

Updated by Andreas Kohlbecker over 6 years ago

  • Description updated (diff)
Actions
Copy link
 #9

Updated by Andreas Kohlbecker over 6 years ago

  • Is duplicate of bug #7021: CREATE permission not sufficient to save new TaxonName entity added
Actions
Copy link
 #10

Updated by Andreas Kohlbecker over 6 years ago

  • Status changed from New to Duplicate
  • Target version deleted (Unassigned CDM tickets)

This is a duplicate of #7021 which meanwhile provides more details.

Actions
Copy link

Also available in: Atom PDF