Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
1.10.1
-
None
Description
PermissionUtils.resolveDelimitedPermissions() accepts multiple permissions, separated by comma. But comma is already reserved by WildcardPermission.SUBPART_DIVIDER_TOKEN.
Example: "user:read,write:*"
Expected:
parts: [ ["user"], ["read", "write"], ["*"]]Actual:
WildcardPermission.parts: [ ["user"], ["read"]],WildcardPermission.parts: [ ["write"], ["*"]]{}
JUnit test to trigger the bug:
import static org.assertj.core.api.Assertions.assertThat;
import org.apache.shiro.authz.permission.WildcardPermission;
import org.apache.shiro.authz.permission.WildcardPermissionResolver;
import org.apache.shiro.util.PermissionUtils;
import org.junit.jupiter.api.Test;
public class PermissionUtilsTest {
@Test
void verifyResolveDelimitedPermissionsRespectsSubPartDividerToken() {
var permissionResolver = new WildcardPermissionResolver(true);
var result = PermissionUtils.resolveDelimitedPermissions("user:read,write:*", permissionResolver);
assertThat(result)
.containsExactlyInAnyOrder(
new WildcardPermission("user:read,write:*")
);
{{ }}}
}
I understand, that PermissionUtils actually cannot know about WildcardPermission.SUBPART_DIVIDER_TOKEN, because it is hidden behind the PermissionResolver abstraction. But WildcardPermissionResolver is the only resolver you provide. PermissionUtils should support using it.
I also understand that the fix will be a breaking change, which should usually be avoided in public APIs. But also consider, that every new user using PermissionUtils will waste time debugging this bug, and then will avoid using resolveDelimitedPermissions(). What's the purpose of a stable but unused API?
Attachments
Issue Links
- links to