Implements: https://jira.sonarsource.com/browse/RSPEC-5809
Should raise when:
- a Vote method implementation of the AccessDecisionVoter interface doesn't return ACCESS_DENIED
- a hasPermission method implementation of the PermissionEvaluator interface doesn't return false
Exceptions:
- To avoid FPs, should not raise when there is only one "complex"(not primitive) return:
@Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant return complexFunction(targetDomainObject, permission); }
@Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Noncompliant return true; }
@Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant if(targetDomainObject == "toto") { return complexFunction(targetDomainObject, permission); } return true; // Also compliant if return false }
- contributes to
-
MMF-2044 Java analyzer detects broken authentication and access control
-
- Closed
-
- implements
-
RSPEC-5808 Authorizations should be based on strong decisions
- Active