Actions
bug #7021
openCREATE permission not sufficient to save new TaxonName entity
Start date:
Due date:
% Done:
50%
Estimated time:
Severity:
critical
Found in Version:
Description
Saving a newly created name entity fails if the authenticated use is only having the TAXONNAME.[CREATE,READ]
authority.
in the cdm-vaadin:eu.etaxonomy.cdm.service.CdmStore.saveBean(..)
method the the bean is saved by doing a merge:
public EntityChangeEvent saveBean(T bean) {
Type changeEventType;
if(bean.getId() > 1){
changeEventType = Type.MODIFIED;
} else {
changeEventType = Type.CREATED;
}
Session session = getSession();
logger.trace(this._toString() + ".onEditorSaveEvent - session: " + session.hashCode());
if(txNonConversational == null || (conversationHolder != null && !conversationHolder.isTransactionActive())){
// no running transaction, start one ...
startTransaction();
}
// merge the changes into the session, ...
T mergedBean = mergedBean(bean);
session.flush();
commitTransction();
return new EntityChangeEvent(mergedBean.getClass(), mergedBean.getId(), changeEventType);
}
The session.flush()
after the merge causes a scheduleUpdate()
which in fact is requiring the authenticated user being granted with the UPDATE
authority. Below is the according stack trace:
eu.etaxonomy.cdm.database.PermissionDeniedException: [UPDATE] not permitted for 'andreas' on TaxonName[uuid:b93e9a49-5016-48d0-93ef-38c12ba3886e', toString:'TaxonName#2343<b93e9a49-5016-48d0-93ef-38c12ba3886e>'] at eu.etaxonomy.cdm.persistence.hibernate.CdmSecurityHibernateInterceptor.checkPermissions(CdmSecurityHibernateInterceptor.java:158) at eu.etaxonomy.cdm.persistence.hibernate.CdmSecurityHibernateInterceptor.onFlushDirty(CdmSecurityHibernateInterceptor.java:116) at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:348) at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:325) at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:276) at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:143) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:216) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:85) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:38) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at eu.etaxonomy.cdm.service.CdmStore.saveBean(CdmStore.java:206)
Related issues
Actions