Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.12.0
Description
When an EscalatedSecurityContext is created through the SecurityService, it captures the currently authenticated user and uses that as the run-as user. This meant that any security contexts with elevated permissions that are created during initialization capture a null user and run anonymously.
Code like this would trigger the error:
public class MyComponent { private final EscalatedSecurityContext withRead; public MyComponent(SecurityService securityService) { // bug: the run-as user is captured here, in this case null withRead = securityService.withPermission(Permission.REPO_READ, "some reason"); } public void fancyLogicHere() { withRead.call(new UncheckedOperation<Void>() { public Void perform() { // bug: the 'null' run-as user captured in the constructor is set as the current user (but with REPO_READ permissions) .... } }); }
Attachments
Issue Links
- is related to
-
BSERV-7395 Access key auth information needed in StashAuthenticationContext for plugin development
- Closed