Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2615: accesscontrollist tag documentation incorrectly states hasPermission is an or #2831

spring-issuemaster opened this issue May 30, 2014 · 0 comments


Copy link

@spring-issuemaster spring-issuemaster commented May 30, 2014

Kenneth Hopkins (Migrated from SEC-2615) said:

Updated Description

In 3.1 the accesscontrollist tag began performing an and on the permissions. This may have been accidental, but I think that it is more intuitive & secure for it to behave this way. When compared to hasAnyRole and hasRoles the hasPermission tag implies it is an and. If users end up needing OR support, then the authorize tag can be used along with the hasPermission expression. For example:

<sec:authorize access="hasPermission(#domain, 'read') or hasPermission(#domain, 'write') ">

In general, the authorize tag should be preferred as it is the more powerful way of performing authorization checks.

h2. Original

According to section 4.4 of the Spring Security reference guide:
It checks a comma-separated list of required permissions for a specified domain object. If the current user has any of those permissions, then the tag body will be evaluated. If they don’t, it will be skipped.

However, the tag seems to check that the user must have all the permissions listed in the hasPermission attribute.

It looks like SEC-1560 introduced the problem. I believe that means it impacts versions 3.1 through the current version.

I'm attaching a diff that I believe will get the tag working as documented again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.