bug #7021: CREATE permission not sufficient to save new TaxonName entity - EDIT - EDIT Project Management

Actions

Copy link

bug #7021

open

CREATE permission not sufficient to save new TaxonName entity

Added by Andreas Kohlbecker over 6 years ago. Updated 3 months ago.

Status:

Resolved

Priority:

Highest

Assignee:

Andreas Müller

Category:

cdmlib

Target version:

Release 4.11

Start date:

Due date:

% Done:

50%

Estimated time:

Severity:

critical

Found in Version:

Tags:

permission phycobank

Description

Saving a newly created name entity fails if the authenticated use is only having the TAXONNAME.[CREATE,READ] authority.

in the cdm-vaadin:eu.etaxonomy.cdm.service.CdmStore.saveBean(..) method the the bean is saved by doing a merge:

public EntityChangeEvent saveBean(T bean) {

        Type changeEventType;
        if(bean.getId() > 1){
            changeEventType = Type.MODIFIED;
        } else {
            changeEventType = Type.CREATED;
        }

        Session session = getSession();
        logger.trace(this._toString() + ".onEditorSaveEvent - session: " + session.hashCode());

        if(txNonConversational == null || (conversationHolder != null && !conversationHolder.isTransactionActive())){
            // no running transaction, start one ...
            startTransaction();
        }

        // merge the changes into the session, ...
        T mergedBean = mergedBean(bean);
        session.flush();
        commitTransction();

        return new EntityChangeEvent(mergedBean.getClass(), mergedBean.getId(), changeEventType);
}

The session.flush() after the merge causes a scheduleUpdate() which in fact is requiring the authenticated user being granted with the UPDATE authority. Below is the according stack trace:

eu.etaxonomy.cdm.database.PermissionDeniedException: [UPDATE] not permitted for 'andreas' on TaxonName[uuid:b93e9a49-5016-48d0-93ef-38c12ba3886e', toString:'TaxonName#2343<b93e9a49-5016-48d0-93ef-38c12ba3886e>']
    at eu.etaxonomy.cdm.persistence.hibernate.CdmSecurityHibernateInterceptor.checkPermissions(CdmSecurityHibernateInterceptor.java:158)
    at eu.etaxonomy.cdm.persistence.hibernate.CdmSecurityHibernateInterceptor.onFlushDirty(CdmSecurityHibernateInterceptor.java:116)
    at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:348)
    at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:325)
    at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:276)
    at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:143)
    at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:216)
    at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:85)
    at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:38)
    at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282)
    at eu.etaxonomy.cdm.service.CdmStore.saveBean(CdmStore.java:206)

Related issues

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

EDIT

Custom queries

bug #7021

CREATE permission not sufficient to save new TaxonName entity

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker over 6 years ago

Updated by Andreas Kohlbecker almost 6 years ago

Updated by Andreas Müller 3 months ago