Opencast is ignoring permissions

Steps to reproduce

Hi everyone,
I just noticed the following code:

public class XACMLAuthorizationService implements AuthorizationService {
public boolean hasPermission(final MediaPackage mp, final String action) {
return getXacmlAttachment(mp).map(new Function<Attachment, Boolean>() {
}).getOrElse(true); // <<-- SECURITY ISSUE ???

Looking at this, it seems like Opencast would just allow any type of
access if no XACML is attached to a media package, regardless of the
action requested. That's… wrong.

Using `.getOrElse(false)` seems a valid quick-fix though evaluating the
default ACL instead (maybe using `getActiveACL()`) would probably be the
preferred choice.

Unfortunately, I do not have time to evaluate the thread right now
(maybe, it's actually harmless). Could anyone take a short look at this?

Best regards,

Fixed and reviewed
Your pinned fields
Click on the next to a field label to start pinning.


Greg Logan


Lars Kiesow