MONDRIAN-568 The permissions for a dimension inherited by the cube we…

…re too lax and compared only the dimension name. I have extended a bit the decision process.

[git-p4: depot-paths = "//open/mondrian-release/3.2/": change = 13833]

src/main/mondrian/olap/RoleImpl.java

@@ -15,6 +15,9 @@
 
 import java.util.*;
 
+import mondrian.rolap.RolapCube;
+import mondrian.rolap.RolapCubeDimension;
+
 /**
  * <code>RoleImpl</code> is Mondrian's default implementation for the
  * <code>Role</code> interface.
@@ -202,7 +205,29 @@ public Access getAccess(Dimension dimension) {
             }
             final Dimension[] dimensions = cubeGrant.getKey().getDimensions();
             for (Dimension dimension1 : dimensions) {
-                if (dimension1.equals(dimension)) {
+                // If the dimensions have the same identity,
+                // we found an access rule.
+                if (dimension == dimension1) {
+                    return access;
+                }
+                // If the passed dimension argument is of class
+                // RolapCubeDimension, we must validate the cube
+                // assignment and make sure the cubes are the same.
+                // If not, skip to the next grant.
+                if (dimension instanceof RolapCubeDimension
+                    && dimension.equals(dimension1)
+                    && !((RolapCubeDimension)dimension1)
+                        .getCube()
+                            .equals(cubeGrant.getKey()))
+                {
+                    continue;
+                }
+                // Last thing is to allow for equality correspondences
+                // to work with virtual cubes.
+                if (cubeGrant.getKey() instanceof RolapCube
+                    && ((RolapCube)cubeGrant.getKey()).isVirtual()
+                    && dimension.equals(dimension1))
+                {
                     return access;
                 }
             }

testsrc/main/mondrian/test/AccessControlTest.java

@@ -1990,6 +1990,54 @@ public void testCalcMemberLevel() {
                 .withRole("Role1"));
     }
 
+    /**
+     * Test for bug MONDRIAN-568. Grants on OLAP elements are validated
+     * by name, thus granting implicit access to all cubes which have
+     * a dimension with the same name.
+     */
+    public void testBugMondrian568() {
+        final TestContext testContext =
+            TestContext.create(
+                null, null, null, null, null,
+                "<Role name=\"Role1\">\n"
+                + "  <SchemaGrant access=\"none\">\n"
+                + "    <CubeGrant cube=\"Sales\" access=\"none\">\n"
+                + "      <HierarchyGrant hierarchy=\"[Measures]\" access=\"custom\">\n"
+                + "        <MemberGrant member=\"[Measures].[Unit Sales]\" access=\"all\"/>\n"
+                + "      </HierarchyGrant>"
+                + "    </CubeGrant>\n"
+                + "  </SchemaGrant>\n"
+                + "</Role>\n"
+                + "<Role name=\"Role2\">\n"
+                + "  <SchemaGrant access=\"none\">\n"
+                + "    <CubeGrant cube=\"Sales Ragged\" access=\"all\"/>\n"
+                + "  </SchemaGrant>\n"
+                + "</Role>");
+
+        final TestContext testContextRole1 =
+            testContext
+                .withRole("Role1")
+                    .withCube("Sales");
+        final TestContext testContextRole12 =
+            testContext
+                .withRole("Role1,Role2")
+                    .withCube("Sales");
+
+        assertMemberAccess(
+            testContextRole1.getConnection(),
+            Access.NONE,
+            "[Measures].[Store Cost]");
+
+        assertMemberAccess(
+            testContextRole12.getConnection(),
+            Access.NONE,
+            "[Measures].[Store Cost]");
+    }
+
+    public void testDoubleUsageDoesNotGiveImplicitGrant() {
+
+    }
+
     private void checkCalcMemberLevel(TestContext testContext) {
         Result result = testContext.executeQuery(
             "with member [Store].[USA].[CA].[Foo] as\n"