Affects Version/s: 6.2.X EE, 7.0.1 CE GA2
Component/s: Application Security > Permissions
Description: The maximum number of resource actions supported for a given resource is 64. However, if the user has exceeded this limit and wants to remove some resource actions to make room for new ones, there is no obvious way to do this. Simply deploying an updated version of their war that removes some resource actions and adds in new ones causes strange behaviors with their resource actions. Calling the API to delete resource actions does not work, because when you try to deploy new resource actions afterward, they will not take the place of the old ones. Instead, they will all get the largest available bitwise value (-2^63).
LPS-49889 attempted to fix the issue of these weird behaviors by throwing an exception when you try to add more than 64 resource actions at a time. However, it is possible to circumvent this exception and still experience the weird behaviors, as I will demonstrate below.
Steps to Reproduce:
- Deploy the attached permissions-test-portlet.
- Check the resourceActions table of the database to ensure that all the permissions were added (there should be 64 entries for name=permissiontest_WAR_permissiontestportlet, with the last one being actionId PORTLET_29, bitwiseValue -9223372036854775808).
- Run the following Groovy Script to delete some of the resource actions:
- Shut down the portal.
- Download the attached permissions-test-portlet-modified and rename it to permissions-test-portlet. Place the portlet in the deploy folder. This is identical to the previous portlet except that the actionIds of some of the permissions were renamed.
- Start the portal and wait for the new portlet to deploy.
- Check your resourceActions table.
Expected result: The new resource actions would all be assigned distinct bitwise values, since other resource actions have been deleted to make space for them.
Actual result: The new resource actions have all been assigned bitwise values of -9223372036854775808, making them unusable.
Reproduced in master: b3a540167ec6cffb0030dacb5d65ea3029741106
Reproduced in 6.2.x: ea8d034b9afdc6b4b76dde47ac12f1eaa6ba65d6