Fixed issue #1591

orientechnologies · Aug 8, 2013 · 7e31bc0 · 7e31bc0
1 parent 8305ee3
commit 7e31bc0
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 16 deletions.
diff --git a/.../main/java/com/orientechnologies/orient/core/metadata/security/ORestrictedAccessHook.java b/.../main/java/com/orientechnologies/orient/core/metadata/security/ORestrictedAccessHook.java
@@ -97,13 +97,14 @@ protected boolean isAllowed(final ODocument iDocument, final String iAllowOperat
 
       final ODatabaseRecord db = ODatabaseRecordThreadLocal.INSTANCE.get();
 
-      if( db.getUser() == null )
-        return true;
-
-      if (db.getUser().checkIfAllowed(ODatabaseSecurityResources.BYPASS_RESTRICTED, ORole.PERMISSION_READ) != null)
-        // BYPASS RECORD LEVEL SECURITY: ONLY "ADMIN" ROLE CAN BY DEFAULT
+      if (db.getUser() == null)
         return true;
 
+      if (db.getUser().isRuleDefined(ODatabaseSecurityResources.BYPASS_RESTRICTED))
+        if (db.getUser().checkIfAllowed(ODatabaseSecurityResources.BYPASS_RESTRICTED, ORole.PERMISSION_READ) != null)
+          // BYPASS RECORD LEVEL SECURITY: ONLY "ADMIN" ROLE CAN BY DEFAULT
+          return true;
+
       final ODocument doc;
       if (iReadOriginal)
         // RELOAD TO AVOID HACKING OF "_ALLOW" FIELDS

diff --git a/core/src/main/java/com/orientechnologies/orient/core/metadata/security/ORole.java b/core/src/main/java/com/orientechnologies/orient/core/metadata/security/ORole.java
@@ -98,11 +98,11 @@ public void fromStream(final ODocument iSource) {
 
     try {
       mode = ((Number) document.field("mode")).byteValue() == STREAM_ALLOW ? ALLOW_MODES.ALLOW_ALL_BUT : ALLOW_MODES.DENY_ALL_BUT;
-    }catch(Exception ex) {
-    	OLogManager.instance().error(this, "illegal mode " + ex.getMessage());
-    	mode =  ALLOW_MODES.DENY_ALL_BUT;
+    } catch (Exception ex) {
+      OLogManager.instance().error(this, "illegal mode " + ex.getMessage());
+      mode = ALLOW_MODES.DENY_ALL_BUT;
     }
-     
+
     final OIdentifiable role = document.field("inheritedRole");
     parentRole = role != null ? document.getDatabase().getMetadata().getSecurity().getRole(role) : null;
 
@@ -111,6 +111,10 @@ public void fromStream(final ODocument iSource) {
       for (Entry<String, Number> a : storedRules.entrySet()) {
         rules.put(a.getKey().toLowerCase(), a.getValue().byteValue());
       }
+
+    if (getName().equals("admin") && !hasRule(ODatabaseSecurityResources.BYPASS_RESTRICTED))
+      // FIX 1.5.1 TO ASSIGN database.bypassRestricted rule to the role
+      addRule(ODatabaseSecurityResources.BYPASS_RESTRICTED, ORole.PERMISSION_ALL).save();
   }
 
   public boolean allow(final String iResource, final int iCRUDOperation) {
@@ -128,12 +132,13 @@ public boolean allow(final String iResource, final int iCRUDOperation) {
   }
 
   public boolean hasRule(final String iResource) {
-    return rules.containsKey(iResource);
+    return rules.containsKey(iResource.toLowerCase());
   }
 
-  public void addRule(final String iResource, final int iOperation) {
+  public ORole addRule(final String iResource, final int iOperation) {
     rules.put(iResource.toLowerCase(), (byte) iOperation);
     document.field("rules", rules);
+    return this;
   }
 
   /**
@@ -143,15 +148,17 @@ public void addRule(final String iResource, final int iOperation) {
    *          Requested resource
    * @param iOperation
    *          Permission to grant/add
+   * @return
    */
-  public void grant(final String iResource, final int iOperation) {
+  public ORole grant(final String iResource, final int iOperation) {
     final Byte current = rules.get(iResource);
     byte currentValue = current == null ? PERMISSION_NONE : current.byteValue();
 
     currentValue |= (byte) iOperation;
 
     rules.put(iResource.toLowerCase(), currentValue);
     document.field("rules", rules);
+    return this;
   }
 
   /**
@@ -162,9 +169,9 @@ public void grant(final String iResource, final int iOperation) {
    * @param iOperation
    *          Permission to grant/remove
    */
-  public void revoke(final String iResource, final int iOperation) {
+  public ORole revoke(final String iResource, final int iOperation) {
     if (iOperation == PERMISSION_NONE)
-      return;
+      return this;
 
     final Byte current = rules.get(iResource);
 
@@ -178,6 +185,7 @@ public void revoke(final String iResource, final int iOperation) {
 
     rules.put(iResource.toLowerCase(), currentValue);
     document.field("rules", rules);
+    return this;
   }
 
   public String getName() {

diff --git a/core/src/main/java/com/orientechnologies/orient/core/metadata/security/OSecurityShared.java b/core/src/main/java/com/orientechnologies/orient/core/metadata/security/OSecurityShared.java
@@ -439,8 +439,10 @@ else if (userClass.getSuperClass() == null)
 
     // CREATE ROLES AND USERS
     ORole adminRole = getRole(ORole.ADMIN);
-    if (adminRole == null)
+    if (adminRole == null) {
       adminRole = createRole(ORole.ADMIN, ORole.ALLOW_MODES.ALLOW_ALL_BUT);
+      adminRole.addRule(ODatabaseSecurityResources.BYPASS_RESTRICTED, ORole.PERMISSION_ALL).save();
+    }
 
     OUser adminUser = getUser(OUser.ADMIN);
     if (adminUser == null)
@@ -495,7 +497,6 @@ public void load() {
 
       if (roleClass.getInvolvedIndexes("name") == null)
         p.createIndex(INDEX_TYPE.UNIQUE);
-
     }
   }