Context Navigation

← Previous Ticket
Next Ticket →

Ticket #663 (new defect)

Opened 20 months ago

Last modified 9 months ago

Query with user filter can still produce security violation

Reported by:	jmoore	Owned by:	jmoore
Priority:	minor	Milestone:	OMERO-Beta4
Component:	Security	Version:	3.0-Beta1
Keywords:	permissions	Cc:

Description

        ome.parameters.Filter filter = new ome.parameters.Filter().owner(uid);
        ome.parameters.Parameters params = new ome.parameters.Parameters(filter); 
        list = 
            query.findAllByQuery("select p from Project p" +
                                 " left outer join fetch p.datasetLinks l"+
                                 " left outer join fetch l.child d",params);

can produce

Exception in thread "main" ome.conditions.SecurityViolation: Cannot read ome.model.containers.Dataset
        at ome.security.basic.BasicACLVoter.throwLoadViolation(BasicACLVoter.java:83)
        at ome.security.ACLEventListener.onPostLoad(ACLEventListener.java:106)
        at org.hibernate.engine.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:201)
        at org.hibernate.loader.Loader.initializeEntitiesAndCollections(Loader.java:842)
        at org.hibernate.loader.Loader.doQuery(Loader.java:717)
        at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:224)
        at org.hibernate.loader.Loader.doList(Loader.java:2211)
        at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2095)
        at org.hibernate.loader.Loader.list(Loader.java:2090)

Change History

Note: See TracTickets for help on using tickets.

Download in other formats: