Loading...

rhino-tools-dev@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [rhino-tools-dev] Re: another rhino security problem with mysql, AuthorizationService AddPermissionsToQuery Nathan Stott Mon May 17 19:02:10 2010

Using MySQL5 Dialect corrected this issue for me.

On Mon, May 17, 2010 at 8:36 AM, Nathan Stott <[EMAIL PROTECTED]> wrote:

> Thanks!  I will be checking that out today.
>
>
> On Mon, May 17, 2010 at 2:11 AM, Ayende Rahien <[EMAIL PROTECTED]> wrote:
>
>> No, the place to look here is the NH MySql Dialect, actually.
>> Look at GetLimitString, in particular.
>>
>>
>> On Mon, May 17, 2010 at 5:29 AM, Nathan Stott <[EMAIL PROTECTED]> wrote:
>>
>>> I traced it to being caused by the SetMaxResults(1) call
>>> in GetPermissionQueryInternal in AuthorizationService.
>>>
>>> When I remove SetMaxResults(1) things work more as I'd expect them to,
>>> but looking at the code it looks like this is needed logic.
>>>
>>> I suppose that means that problem is again in the NH MySQL Provider?
>>>  Would that be the place to look next?
>>>
>>>
>>> On Mon, May 17, 2010 at 12:05 AM, Nathan Stott <[EMAIL PROTECTED]>wrote:
>>>
>>>> Any ideas on this problem would be greatly appreciated.
>>>>
>>>> I'm doing a very simple query.
>>>>
>>>> var dc = DetachedCriteria.For<Appointment>();
>>>>
>>>> AuthorizationService.AddPermissionsToQuery(user, "/Appointment/View",
>>>>> dc);
>>>>
>>>> return dc.GetExecutableCriteria(Session).List<Appointment>();
>>>>
>>>>
>>>> Removing the AddPermissionsToQuery results in a query that works.  The
>>>> SQL generated produces invalid SQL with a variable ?p6 that is simply
>>>> undefined.  The ?p6 variable appears to be completely extraneous.
>>>>  Running the SQL statement manually with this parameter removed results in
>>>> the exact results I want.
>>>>
>>>> This is the exact error:
>>>> *Exception Details: *MySql.Data.MySqlClient.MySqlException: Parameter
>>>> '?p6' must be defined.
>>>>
>>>> Any suggestions would be most welcome.
>>>>
>>>> This is the resulting SQL:
>>>>
>>>> SELECT
>>>>  this_.id as id4_0_,
>>>>  this_.appointment_status as appointm2_4_0_,
>>>>  this_.requestor_first_name as requestor3_4_0_,
>>>>  this_.requestor_last_name as requestor4_4_0_,
>>>>  this_.requestor_phone as requestor5_4_0_,
>>>>  this_.requestor_email as requestor6_4_0_,
>>>>  this_.inn_code as inn7_4_0_,
>>>>  this_.start_time as start8_4_0_,
>>>>  this_.end_time as end9_4_0_,
>>>>  this_.consult_reason_description as consult10_4_0_,
>>>>  this_.created_at as created11_4_0_,
>>>>  this_.last_modified_at as last12_4_0_,
>>>>  this_.security_key as security13_4_0_,
>>>>  this_._user as column14_4_0_,
>>>>  this_._time_slot as column15_4_0_
>>>> FROM appointment this_
>>>> WHERE 1 /* ?p0 */ = (
>>>> SELECT
>>>>  this_0_.Allow as y0_
>>>>  FROM security_Permissions this_0_ inner join security_Operations op1_
>>>> on this_0_.Operation=op1_.Id left outer join security_EntitiesGroups
>>>> entitygrou2_ on this_0_.EntitiesGroup=entitygrou2_.Id left outer join
>>>> security_EntityReferencesToEntitiesGroups entities7_ on
>>>> entitygrou2_.Id=entities7_.GroupId left outer join 
>>>> security_EntityReferences
>>>> entitykey3_ on entities7_.EntityReferenceId=entitykey3_.Id
>>>>  WHERE op1_.Name in (
>>>> '/Appointment/View' /* ?p1 */,
>>>>  '/Appointment' /* ?p2 */)
>>>>  and
>>>>  (
>>>> this_0_.`User` = 1515 /* ?p3 */ or
>>>>  this_0_.UsersGroup in (
>>>> SELECT
>>>>  this_0_0_.Id as y0_
>>>>  FROM security_UsersGroups this_0_0_
>>>> WHERE this_0_0_.Id in (
>>>> SELECT
>>>>  this_0_0_0_.Id as y0_
>>>> FROM security_UsersGroups this_0_0_0_ left outer join
>>>> security_UsersToUsersGroups users4_ on this_0_0_0_.Id=users4_.GroupId left
>>>> outer join users user1_ on users4_.UserId=user1_.id left outer join
>>>> security_UsersGroupsHierarchy allchildre6_ on
>>>> this_0_0_0_.Id=allchildre6_.ParentGroup left outer join 
>>>> security_UsersGroups
>>>> child2_ on allchildre6_.ChildGroup=child2_.Id
>>>>  WHERE (
>>>> child2_.Id in (
>>>> SELECT
>>>>  this_0_0_0x0_.Id as y0_
>>>> FROM security_UsersGroups this_0_0_0x0_ inner join
>>>> security_UsersToUsersGroups users3_ on this_0_0_0x0_.Id=users3_.GroupId
>>>> inner join users user1_ on users3_.UserId=user1_.id
>>>>  WHERE user1_.id = 1515 /* ?p4 */)
>>>>  or
>>>>  user1_.id = 1515 /* ?p5 */)
>>>>  )
>>>> )
>>>> )
>>>>  and
>>>>  (
>>>> (
>>>>  this_.security_key = this_0_.EntitySecurityKey or
>>>>  this_.security_key = entitykey3_.EntitySecurityKey)
>>>>  or
>>>>  (
>>>> this_0_.EntitySecurityKey is null and
>>>>  this_0_.EntitiesGroup is null)
>>>> )
>>>>  ORDER BY this_0_.Level desc,
>>>>  this_0_.Allow asc limit ?p6)
>>>>
>>>
>>>  --
>>> You received this message because you are subscribed to the Google Groups
>>> "Rhino Tools Dev" group.
>>> To post to this group, send email to [EMAIL PROTECTED]
>>> To unsubscribe from this group, send email to
>>> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/rhino-tools-dev?hl=en.
>>>
>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Rhino Tools Dev" group.
>> To post to this group, send email to [EMAIL PROTECTED]
>> To unsubscribe from this group, send email to
>> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/rhino-tools-dev?hl=en.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Rhino Tools Dev" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rhino-tools-dev?hl=en.