Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

PermissionAdminService - access is denied

Bartlomiej Wach
Bartlomiej Wachowski April 15, 2014

Hello,

I am developing a plugin in Stash 2.12.1 for creating projects and repositories. The problem I am facing is related to granting permissions via PermissionAdminService. Executing

transactionTemplate.execute(new TransactionCallback<CreationResponse>() {

 @Override
 public CreationResponse doInTransaction() {
  Project project = projectService.getByKey(request.getProjectKey());
   if (project == null) {
    ProjectCreateRequest.Builder projectCreateRequestBuilder = new ProjectCreateRequest.Builder();
    ProjectCreateRequest projectCreateRequest = projectCreateRequestBuilder.key(request.getProjectKey()).name(request.getProjectName()).description(request.getProjectDescription()).build();
    project = projectService.create(projectCreateRequest);

    permissionAdminService.grantAllProjectPermission(Permission.PROJECT_WRITE, project);
   }
  }
 });

inside a transaction ends with an exception and rollback. Exception is

org.springframework.security.access.AccessDeniedException: Access is denied
at permissionAdminService.grantAllProjectPermission

Actually, any method call on permissionAdminService for brand new project is denied. Current user has "Project Creator" permission. Also creating a project without calling grantAllProjectPermission creates the project successfully and current user has admin rights.

The problem is related to transaction because when I execute the code outside of it, grantAllProjectPermission works fine. Am I missing something?

Watch
Like Be the first to like this
232 views

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Answer accepted
jhinch (Atlassian)
jhinch (Atlassian)
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 15, 2014

Yes, you are absolutely right. Wrapping it a transaction means that the events Stash relies on to invalidate its permission caches is not fired until the transaction is committed so you are seeing a view of the permissions as they were before the project was created. Because the grant operation is completely valid operation to do I would suggest working around this quirk by wrapping the call to the permissionAdminService in a call to the SecurityService.

securityService.withPermission(Permission.PROJECT_ADMIN, "Grant all project permission within the same transaction")
    .call(new UncheckedOperation<Void>() {
        @Override
        public Void perform() {
            permissionAdminService.grantAllProjectPermission(Permission.PROJECT_WRITE, project);
            return null;
        }
    });

Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events