Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
1.1
-
None
-
None
-
CVS HEAD
Description
Note: This occurs on CVS HEAD on the main line in unreleased code. I've reproduced on both Tomcat 5.5.7/JDK 1.5 and Tomcat 5.0.28/JDK 1.4, so I think platform is irrelevant.
To reproduce, start with a fresh db, and attempt to save a weblog entry or change themes. A permission exception results.
I believe it will also be reproducible with a fresh website/username in an existing db.
Here is some analysis I did in the debugger for reference:
There is a direct call from RequestFilter to IfModifiedFilter.getLastPublishedDate() at line 145 of RequestFilter.java. In IfModifiedFilter, if you happen to get a date cache miss at line 181, it does a roller.begin() call that clobbers the user and sets an anonymous user. That hoses things for all canSave() permission checks.
If you start with a fresh empty database, you'll be caught in a position where you can't save due to this bug. Once you have a lastUpdateTime for the website cached, you are ok.
Possible suggested fixes:
(1) If you intend that it is ok that begin() is called on an already begun session, add a state value to skip the setUser(UserData.anonymous) if the session is already "begun."
or skip the setting if there is a user set.
(2) If you intend that begin() should not be called, then keep a state variable indicating "begun" and throw an IllegalStateException on subsequent calls.