We're updating the issue view to help you get more done. 

Opencast is ignoring permissions

Steps to reproduce

Hi everyone,
I just noticed the following code:

public class XACMLAuthorizationService implements AuthorizationService {
...
public boolean hasPermission(final MediaPackage mp, final String action) {
...
return getXacmlAttachment(mp).map(new Function<Attachment, Boolean>() {
...
}).getOrElse(true); // <<-- SECURITY ISSUE ???
...
}
...

Looking at this, it seems like Opencast would just allow any type of
access if no XACML is attached to a media package, regardless of the
action requested. That's… wrong.

Using `.getOrElse(false)` seems a valid quick-fix though evaluating the
default ACL instead (maybe using `getActiveACL()`) would probably be the
preferred choice.

Unfortunately, I do not have time to evaluate the thread right now
(maybe, it's actually harmless). Could anyone take a short look at this?

Best regards,
Lars

Status

Assignee

Greg Logan

Reporter

Lars Kiesow

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

4.2
3.2
3.1
3.4
3.3
3.0
4.0
4.1
3.5

Priority

Critical