-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Description
Brian Ewins(Migrated from SEC-1140) said:
Granting permissions with bitmasks with more than one bit set does not have the expected result, eg:
```
MutableAcl acl = (MutableAcl) mutableAclService.readAclById(objectIdentity);
Permission perm = BasePermission.buildFromMask(BasePermission.CREATE.getMask() | BasePermission.DELETE.getMask());
acl.insertAce(0, perm, sid, true);
assert(acl.isGranted(new Permission[]{BasePermission.CREATE}, new Sid[] {sid}, false));
```
As well as the forum link above, this gets mentioned other times in the forum:
http://forum.springsource.org/showthread.php?p=235305
http://forum.springsource.org/showthread.php?t=68655
and as one of the many issues in SEC-479. I’m raising this to split this one issue into a separate bug.
each time its come up, the outcome is that people are reimplementing AclImpl, BasicLookupStrategy etc. In our case we’re migrating data from a different acl system, and this results in us having to split up every individual permission in the database, (since otherwise the CumulativePermission loaded never matches). It does seem to defeat the purpose of these things being bitmasks, as well as meaning we need to store 32x as many rows.