[cle-release-team] [Sakai Jira] Commented: (SAK-21872) Citations copy/duplicate doesn't work as expected.

Matthew Buckett (JIRA) bugs-admin at sakaiproject.org
Tue Mar 27 04:27:17 PDT 2012 

    [ https://jira.sakaiproject.org/browse/SAK-21872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=154057#comment-154057 ] 

Matthew Buckett commented on SAK-21872:
---------------------------------------

Duplicate through Resources UI works as expected in 2.8.x with org.sakaiproject.citation.impl.BaseCitationService.CitationListDuplicateAction calling org.sakaiproject.citation.impl.BaseCitationService.copyCitationCollection(Reference) this results in a copy of the reading list as it should.

> Citations copy/duplicate doesn't work as expected.
> --------------------------------------------------
>
>                 Key: SAK-21872
>                 URL: https://jira.sakaiproject.org/browse/SAK-21872
>             Project:  Sakai CLE
>          Issue Type: Bug
>      Security Level: Security Issue(Security Issues are not available to those outside the sakai groups.) 
>          Components: Citations, Citations Helper
>    Affects Versions: 2.6.3, 2.7.2, 2.8.1, 2.9.0-b02, 2.10 [Tentative]
>            Reporter: Matthew Buckett
>            Assignee: Jon Dunn
>
> When you copy/duplicate a citation list you get a second citation list entry in the resources tool but you are actually still editing the same citation list. This is a security issue because you can use the resources tool to copy a reading list you only have read only access to into your MyWorkspace (using show other sites) then the user has write access to the copy in MyWorkspace. As the two lists point to the same citations list you can now edit the list from your MyWorkspace and see the changes in the other site. You can also make the copy through WebDAV.
> The citations functionality works by storing it's lists in the database and then stores the ID of that reading list in the content of a item in resources. So when you edit a citation list item the permission checks are done by the ContentHostingService. The copy functionality just copies the item in ContentHostingService and so you have two items with the same citation list ID.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the cle-release-team mailing list