[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Tue, 22 Jun 2004 21:47:50 -0400 (EDT)


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by davidandrewtaylor@hotmail.com.

http://bugzilla.ximian.com/show_bug.cgi?id=60482

--- shadow/60482	2004-06-22 20:59:49.000000000 -0400
+++ shadow/60482.tmp.3081	2004-06-22 21:47:50.000000000 -0400
@@ -10,13 +10,12 @@
 Component: Sys.Web
 AssignedTo: mono-bugs@ximian.com                            
 ReportedBy: davidandrewtaylor@hotmail.com               
 QAContact: mono-bugs@ximian.com
 TargetMilestone: ---
 URL: 
-Cc: 
 Summary: Critical bug in ASP.NET UrlAuthorization Module (beta 3)
 
 Description of Problem:
 There is a critical bug in the ASP.NET UrlAuthorization module in MONO 
 (tested in Beta 3).  The bug is in the code "AuthorizationConfig.cs" 
 within the foreach statement inside the method "internal bool IsValidUser 
@@ -133,6 +132,20 @@
 the "roles" or a "users" attribute.
 
 Please look at my code again, which I believe is correct.  You can 
 see in my last line where I say "verb && (users || roles)".
 
 
+
+------- Additional Comments From davidandrewtaylor@hotmail.com  2004-06-22 21:47 -------
+I believe you could rewrite your latest version correctly like this:
+
+foreach (UserData data in list) 
+{
+  if (data.Verbs != null && !data.CheckVerb (verb))
+      continue;
+
+  if ((data.Users!=null&&data.CheckUser(user.Identity.Name))
+     || (data.Roles!=null&&data.CheckRole(user)))
+      return data.Allow;
+}
+