Uploaded image for project: 'Fedora Repository Project'
  1. Fedora Repository Project
  2. FCREPO-1283

Role-based authorization delegate allows user with only reader permission to PATCH

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Fedora 4.0.0
    • Fix Version/s: Fedora 4.1.1
    • Component/s: f4-auth
    • Labels:
      None
    • Roadmap Theme:
      Security: Authorization
    • Sprint:
      Sprint 2015 - 1, Sprint 2015 - 2, Sprint 2015 - 3

      Description

      On a Fedora 4 instance configured to use the role-based authorization delegate, I have added an fcr:accessroles ACL to the collection /bulk13
      that sets up "testuser" with just read-only access:

      { "testuser": [ "reader" ] }
      

      Everything appears fine when I attempt to modify a container resource
      under /bulk13 with PUT or POST; the PUT is rejected with a 409 and error
      messages referring to insufficient permissions to modify the triples, and
      the POST is rejected with a 403.

      However, when I send a PATCH request with a SPARQL update query, it
      succeeds (returns 204, and the resource gets updated). For example, this
      command will add a triple with the predicate dc:title and the object
      "foobar 2":

      curl -X PATCH
      http://localhost:8080/rest/bulk13/6c/16/04/6d/6c16046d-3c21-4a21-b866-febdf
      cb8a61d -H 'Content-Type: application/sparql-update' -d'INSERT { <>
      <http://purl.org/dc/elements/1.1/title> "foobar 2". } WHERE {}' -u
      testuser:XXXXXX -i
      

      Yields:

      HTTP/1.1 204 No Content
      ETag: "ad1d4b9ed567a9bbd470de712e6c71765345d0c5"
      Last-Modified: Tue, 13 Jan 2015 14:34:07 GMT
      Server: Jetty(8.1.11.v20130520)
      

      This is incorrect behavior, since testuser should not be able to modify
      any resources under /bulk13, per the fcr:accessroles configuration.

      Checking the effective access roles using an admin user, this is what I get:

      curl 'http://localhost:8080/rest/bulk13/6c/16/04/6d/6c16046d-3c21-4a21-b866-febdfcb8a61d/fcr:accessroles?effective' -u fedoraAdmin:XXXX -i
      

      Yields:

      
      

      HTTP/1.1 200 OK
      Content-Length: 23
      Content-Type: application/json
      Server: Jetty(8.1.11.v20130520)

      {"testuser":["reader"]}
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              osmandin Osman Din
              Reporter:
              peichman-umd Peter Eichman
              Reviewer:
              Andrew Woods
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: