spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

http PATCH w/ spring-data-rest @PreAuthorize save() method, custom PermissionEvaluator receives null object

Open bitsofinfo opened this issue 9 years ago • 13 comments

Summary

Sample: https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue

spring-security 4.1.3, spring-boot 4.1, latest spring-data-jpa/rest libraries

I have a custom repository interface that extends from other interfaces that ultimately extend from PagingAndSortingRepository with an annotated SPeL protected methods like this. I also have a custom PermissionEvaluator

    @Override
    @PostAuthorize("hasPermission(returnObject, 'READ')")
    T findOne(ID id);

    @Override
    @PreAuthorize("hasPermission(#c,'CREATE,UPDATE')")
    <S extends T> S save(@P("c") S data);

I then have a client do a PATCH of a TestRecord. What happens is as follows

  • spring-data-rest, calls findOne(id) with the id of the object being updated (to fetch the original record for update). My PermisionEvaluator is properly called with the object.
  • Next, spring-data-rest calls save() with the object to save. However my PermissionEvaluator at this point is passed a null object for #c above.

Also with the initial POST, the targetObject is NULL on save()...

Expected Behavior

Expected behavior is that my PermissionEvaluator should be invoked with a non-null object when save() is invoked regardless if a POST or a PATCH, and that this all works with intermediary interfaces for repositories deriving from PagingAndSortingRepository

bitsofinfo avatar Sep 23 '16 15:09 bitsofinfo

+1

nfedyk avatar Sep 23 '16 15:09 nfedyk

@rwinch sample project: https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue

bitsofinfo avatar Sep 23 '16 17:09 bitsofinfo

Note the only way this works if if you have no-intermediary repository interfaces between PagingAndSortingRepository and your repository... which if we have to do that sort of defeats the purpose of being able to extend our own intermediary interfaces after PagingAndSortingRepository

such as:

@RepositoryRestResource(collectionResourceRel = "testrecords", path = "testrecords")
public interface TestRecordRepository extends PagingAndSortingRepository<TestRecord,Integer> {


    @Override
    @PostAuthorize("hasPermission(returnObject, 'READ')")
    TestRecord findOne(Integer id);

    @Override
    @PreAuthorize("hasPermission(#c,'CREATE,UPDATE')")
    TestRecord save(@P("c") TestRecord data);

}

bitsofinfo avatar Sep 23 '16 17:09 bitsofinfo

+1

bmudda avatar Sep 26 '16 19:09 bmudda

+1

peloncano avatar Sep 28 '16 13:09 peloncano

Can anyone take a look at this please?

bitsofinfo avatar Oct 07 '16 20:10 bitsofinfo

ping.... this has a sample project attached no less. Please take a look?

bitsofinfo avatar Oct 28 '16 13:10 bitsofinfo

Can anyone check this issue please?

nfedyk avatar Nov 19 '16 01:11 nfedyk

+1

jgrosche avatar Nov 19 '16 08:11 jgrosche

Is there any chance this will ever be addressed?

bitsofinfo avatar Feb 07 '17 14:02 bitsofinfo

this looks like a (potential) security hole

eepstein avatar Mar 03 '17 22:03 eepstein

+1

ptahchiev avatar Sep 26 '17 11:09 ptahchiev

Hi, I wanted to follow up. This issues has been open for 8 years seemingly with no comment from Spring team. I am running into a similar issue dealing with a JPA repository. Is there any progress on this?

oscarbrookssynacor avatar Feb 27 '24 01:02 oscarbrookssynacor