[midPoint-git] [Evolveum/midpoint] 4cd16d: Improve authorization for filter items
mederly
noreply at github.com
Tue Apr 30 18:57:25 CEST 2024
Branch: refs/heads/master
Home: https://github.com/Evolveum/midpoint
Commit: 4cd16d59cc0c49c1aec61263eb151ed53816e7b7
https://github.com/Evolveum/midpoint/commit/4cd16d59cc0c49c1aec61263eb151ed53816e7b7
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-04-30 (Tue, 30 Apr 2024)
Changed paths:
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/FilteringContext.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestExpressionProfiles.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractInitializedSecurityTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
M model/model-intest/src/test/resources/logback-test.xml
A model/model-intest/src/test/resources/security/role-deny-read-assignment-and-roleMembershipRef.xml
A model/model-intest/src/test/resources/security/user-alex.xml
A model/model-intest/src/test/resources/security/user-betty.xml
M model/model-intest/testng-integration-full.xml
M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/PositiveNegativeItemPaths.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation.java
R repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryAutzItemPaths.java
A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectAutzCoverage.java
A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectsAutzCoverage.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityTraceEvent.java
Log Message:
-----------
Improve authorization for filter items
In order to evaluate a filter, one has to be authorized to access
items (and their values) used for filter evaluation. The support
for this feature was present but a bit incomplete. "Deny"
authorizations were not taken into account, and authorizations
for unrelated types (required e.g. by the referencedBy filter)
were ignored.
This commit partially fixes that: "deny" authorizations are now
supported in the same way as "allow" ones, and some filter items
are checked, at least at a rudimentary level. To be improved later.
(Also adding forgotten TestExpressionProfiles to test suite.)
Related to MID-9638 and MID-9670.
Commit: 200af1955522cd7b833c0854efc63dc0c2937916
https://github.com/Evolveum/midpoint/commit/200af1955522cd7b833c0854efc63dc0c2937916
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-04-30 (Tue, 30 Apr 2024)
Changed paths:
M docs/concepts/query/midpoint-query-language/introduction.adoc
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/MainObjectListPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/search/wrapper/DeadShadowSearchItemWrapper.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/simulation/SimulationResultsPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/self/requestAccess/RoleCatalogPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertDefinitions.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/visualizer/Resolver.java
Log Message:
-----------
Merge remote-tracking branch 'origin/master'
Compare: https://github.com/Evolveum/midpoint/compare/ebdee96f4547...200af1955522
To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications
More information about the midPoint-svn
mailing list