Opencast is ignoring permissions

Steps to reproduce

Hi everyone,
I just noticed the following code:

public class XACMLAuthorizationService implements AuthorizationService {
...
public boolean hasPermission(final MediaPackage mp, final String action) {
...
return getXacmlAttachment(mp).map(new Function<Attachment, Boolean>() {
...
}).getOrElse(true); // <<-- SECURITY ISSUE ???
...
}
...

Looking at this, it seems like Opencast would just allow any type of
access if no XACML is attached to a media package, regardless of the
action requested. That's… wrong.

Using `.getOrElse(false)` seems a valid quick-fix though evaluating the
default ACL instead (maybe using `getActiveACL()`) would probably be the
preferred choice.

Unfortunately, I do not have time to evaluate the thread right now
(maybe, it's actually harmless). Could anyone take a short look at this?

Best regards,
Lars

Status

Assignee

Greg Logan

Reporter

Lars Kiesow

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

Priority

Critical
Configure