[midPoint-git] [Evolveum/midpoint] 776281: Fix authorization evaluation for the EXISTS filter

mederly noreply at github.com
Fri Sep 2 10:08:35 CEST 2022


  Branch: refs/heads/support-4.4
  Home:   https://github.com/Evolveum/midpoint
  Commit: 7762819a855230569b0ee375791a1858221c59d5
      https://github.com/Evolveum/midpoint/commit/7762819a855230569b0ee375791a1858221c59d5
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2022-09-02 (Fri, 02 Sep 2022)

  Changed paths:
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
    A model/model-intest/src/test/resources/security/role-search-user-assignment-targetRef.xml
    M model/model-intest/src/test/resources/security/user-deputy-1.xml
    M model/model-intest/src/test/resources/security/user-deputy-2.xml
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AutzItemPaths.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryAutzItemPaths.java

  Log Message:
  -----------
  Fix authorization evaluation for the EXISTS filter

When determining the list of items required to evaluate a search filter,
the special nature of EXISTS filter was ignored.

It is now fixed.

Note: When a filter like "EXISTS(path1): path2=..." is used, both
path1 and path1/path2 has to be allowed in the authorization.
Please see role-search-user-assignment-targetRef.xml for an example.

This should resolve MID-7931.

(cherry picked from commit 5fd3fb07b320b33c73b81451d48d2c25c4dcfd19)




More information about the midPoint-svn mailing list