Rest endpoints should not allow malformed series acl

Steps to reproduce

The following rest endpoints should not allow ACLs where roles are missing:

  • Series service (/series)

  • External API (/api/series)

  • Admin UI Facade (/admin-ng/series)

Activity

Show:
Sven Stauber
March 15, 2018, 8:21 AM

Without looking at the code, you probably are right

Note that we won't work on this issue due priorities so if you have some time to address it, please go ahead.

Katrin Ihler
March 15, 2018, 7:09 AM

Good question. I haven't looked this very much so far since this is work sponsored by SWITCH and they have other priorities right now, but it's still definitely on the to-do-list. It's possible that api/series validates acl, but at least one of the other rest endpoints does not (or not sufficiently), which is why they ended up with series with broken ACLs. (I saw your pullrequests regarding the UI issues btw, so at least that's fixed now, yay!)

The goal should definitely be to have one place that validates ACLs consistently, and use that in all the endpoints that accept ACL. It looks like you found some code duplication/overlap there, I'm gonna look into this as soon as I pick this back up...

Matthias Neugebauer
March 13, 2018, 1:13 PM

As far as I understand the code, /api/series should validate (series) ACLs (see org.opencastproject.external.util.AclUtils#deserializeJsonToAcl). For me this begs the question why this logic is different from org.opencastproject.security.api.AccessControlParser and why there even is a second implementation. Can't we just merge the two classes?

Assignee

Unassigned

Reporter

Katrin Ihler

Severity

Incorrectly Functioning Without Workaround