[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)
bugzilla-daemon@bugzilla.ximian.com
bugzilla-daemon@bugzilla.ximian.com
Tue, 22 Jun 2004 20:59:49 -0400 (EDT)
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by davidandrewtaylor@hotmail.com.
http://bugzilla.ximian.com/show_bug.cgi?id=60482
--- shadow/60482 2004-06-22 05:12:12.000000000 -0400
+++ shadow/60482.tmp.2661 2004-06-22 20:59:49.000000000 -0400
@@ -1,13 +1,13 @@
Bug#: 60482
Product: Mono: Class Libraries
Version: unspecified
OS: Red Hat 9.0
OS Details:
-Status: RESOLVED
-Resolution: FIXED
+Status: REOPENED
+Resolution:
Severity: Unknown
Priority: Blocker
Component: Sys.Web
AssignedTo: mono-bugs@ximian.com
ReportedBy: davidandrewtaylor@hotmail.com
QAContact: mono-bugs@ximian.com
@@ -119,6 +119,20 @@
return data.Allow;
}
------- Additional Comments From gonzalo@ximian.com 2004-06-22 05:12 -------
Fixed in CVS.
+
+------- Additional Comments From davidandrewtaylor@hotmail.com 2004-06-22 20:59 -------
+Gonzalo - your code is still not correct and does not work given a
+situation like this:
+<deny users="anotheruser" roles="myrole" />
+* If my login was "user1" but I was in the role "myrole" your code
+will skip right past that and not match (unlike MS.NET). This is
+because any single "deny" or "allow" clause can match *either* on
+the "roles" or a "users" attribute.
+
+Please look at my code again, which I believe is correct. You can
+see in my last line where I say "verb && (users || roles)".
+
+