New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content pack permissions #1033

Closed
bernd opened this Issue Jan 14, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@bernd
Contributor

bernd commented Jan 14, 2015

When logged in as non-admin user, I can see the "Create content pack" button on the content packs page. Clicking the button results in an exception.

! @6kol7c8bp - Internal server error, for (GET) [/system/contentpacks/export] ->

play.api.Application$$anon$1: Execution exception[[NullPointerException: null]]
        at play.api.Application$class.handleError(Application.scala:296) ~[play_2.10-2.3.6.jar:2.3.6]
        at play.api.DefaultApplication.handleError(Application.scala:402) [play_2.10-2.3.6.jar:2.3.6]
        at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [play_2.10-2.3.6.jar:2.3.6]
        at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [play_2.10-2.3.6.jar:2.3.6]
        at scala.Option.map(Option.scala:145) [scala-library.jar:na]
Caused by: java.lang.NullPointerException: null
        at views.html.system.bundles.export$$anonfun$1$$anonfun$apply$4.apply(export.template.scala:115) ~[classes/:na]
        at views.html.system.bundles.export$$anonfun$1$$anonfun$apply$4.apply(export.template.scala:111) ~[classes/:na]
        at play.twirl.api.TemplateMagic$.defining(TemplateMagic.scala:13) ~[twirl-api_2.10-1.0.2.jar:1.0.2]
        at views.html.system.bundles.export$$anonfun$1.apply(export.template.scala:111) ~[classes/:na]
        at views.html.system.bundles.export$$anonfun$1.apply(export.template.scala:64) ~[classes/:na]

On the server I see the following.

2015-01-14 20:58:13,942 INFO : org.graylog2.shared.security.ShiroAuthorizationFilter - User not authorized.
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [stream_outputs:create]
    at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323)
    at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137)
    at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205)
    at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74)
    at org.graylog2.shared.security.ShiroAuthorizationFilter.filter(ShiroAuthorizationFilter.java:49)

I guess there are some missing checks for permissions in the web interface. Not sure if a regular user should even see the content pack management.

@bernd bernd added this to the 1.0.0 milestone Jan 14, 2015

@kroepke

This comment has been minimized.

Contributor

kroepke commented Jan 14, 2015

Right, there are permission checks failing in other parts as well.
On Jan 14, 2015 9:01 PM, "Bernd Ahlers" notifications@github.com wrote:

When logged in as non-admin user, I can see the "Create content pack"
button on the content packs page. Clicking the button results in an
exception.

! @6kol7c8bp - Internal server error, for (GET) [/system/contentpacks/export] ->

play.api.Application$$anon$1: Execution exception[[NullPointerException: null]]
at play.api.Application$class.handleError(Application.scala:296) ~[play_2.10-2.3.6.jar:2.3.6]
at play.api.DefaultApplication.handleError(Application.scala:402) [play_2.10-2.3.6.jar:2.3.6]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [play_2.10-2.3.6.jar:2.3.6]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$3$$anonfun$applyOrElse$4.apply(PlayDefaultUpstreamHandler.scala:320) [play_2.10-2.3.6.jar:2.3.6]
at scala.Option.map(Option.scala:145) [scala-library.jar:na]
Caused by: java.lang.NullPointerException: null
at views.html.system.bundles.export$$anonfun$1$$anonfun$apply$4.apply(export.template.scala:115) ~[classes/:na]
at views.html.system.bundles.export$$anonfun$1$$anonfun$apply$4.apply(export.template.scala:111) ~[classes/:na]
at play.twirl.api.TemplateMagic$.defining(TemplateMagic.scala:13) ~[twirl-api_2.10-1.0.2.jar:1.0.2]
at views.html.system.bundles.export$$anonfun$1.apply(export.template.scala:111) ~[classes/:na]
at views.html.system.bundles.export$$anonfun$1.apply(export.template.scala:64) ~[classes/:na]

On the server I see the following.

2015-01-14 20:58:13,942 INFO : org.graylog2.shared.security.ShiroAuthorizationFilter - User not authorized.
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [stream_outputs:create]
at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323)
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137)
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205)
at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74)
at org.graylog2.shared.security.ShiroAuthorizationFilter.filter(ShiroAuthorizationFilter.java:49)

I guess there are some missing checks for permissions in the web
interface. Not sure if a regular user should even see the content pack
management.


Reply to this email directly or view it on GitHub
#1033.

@kroepke kroepke self-assigned this Jan 15, 2015

@kroepke kroepke closed this in e5a5422 Jan 19, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment