[SONARJAVA-3396] Rule S5808 Authorizations should be based on strong decisions - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.9
Component/s: Rules
Labels:
None

Description

Implements: https://jira.sonarsource.com/browse/RSPEC-5809

Should raise when:

a Vote method implementation of the AccessDecisionVoter interface doesn't return ACCESS_DENIED

a hasPermission method implementation of the PermissionEvaluator interface doesn't return false

Exceptions:

To avoid FPs, should not raise when there is only one "complex"(not primitive) return:

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant
        return complexFunction(targetDomainObject, permission); 
    }

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Noncompliant
       return true;
    }

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant
        if(targetDomainObject == "toto") {
            return complexFunction(targetDomainObject, permission); 
        }

       return true; // Also compliant if return false
    }

Attachments

Issue Links

implements

RSPEC-5808 Authorizations should be based on strong decisions

Active

Activity

People

Assignee:: Quentin Jaquier

Reporter:: Eric Therond

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Due:: 02/Oct/20

Created:: 14/May/20 12:10 PM

Updated:: 30/Sep/20 10:16 AM

Resolved:: 30/Sep/20 10:16 AM