Skip to content

SEC-2342: DefaultPermissionGrantingStrategy directly compares permission mask #2571

New issue
New issue
Closed
Closed
SEC-2342: DefaultPermissionGrantingStrategy directly compares permission mask#2571
Assignees
eleftherias
Labels
in: aclAn issue in spring-security-acltype: bugA general bugtype: jiraAn issue that was migrated from JIRA
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Sep 25, 2013

Igor Artamonov (Migrated from SEC-2342) said:

DefaultPermissionGrantingStrategy.isGranted uses direct comparison for the permission mask:

//line :68
if ((ace.getPermission().getMask() == p.getMask()) && ace.getSid().equals(sid)) {

So, for:

  • composite mask "RW" (ace mask is 3)
  • when we require "R" (p mask is 1) permission

isGranted will return false.

I believe there should be & used, instead of ==

Metadata

Metadata

Assignees

Labels

in: aclAn issue in spring-security-acltype: bugA general bugtype: jiraAn issue that was migrated from JIRA

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions