com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12

Atlassian JIRA | Wojciech Seliga | 8 years ago
tip
Your exception is missing from the Samebug knowledge base.
Here are the best solutions we found on the Internet.
Click on the to mark the helpful solution and get rewards for you help.
  1. 0

    Take a look at sample XML response for an arbitrary review, when user tries to fetch data without any authentication. In case of public servers and malicious users, I don't think that exposing stack trace makes sense when we have "access denied". Now anonymous users know a lot of underlying stack (jetty, spring, jersey, etc.) and could theoretically use this knowledge to easier prepare an exploit. {code:xml} <?xml version='1.0' encoding='UTF-8'?> <error> <code>NotPermitted</code> <message>You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12</message> <stacktrace>com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12 at com.atlassian.crucible.spi.impl.DefaultReviewService.requireReviewPermission(DefaultReviewService.java:1240) at com.atlassian.crucible.spi.impl.DefaultReviewService.getReview(DefaultReviewService.java:359) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:362) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:361) at com.atlassian.crucible.spi.rpc.ConditionalGet.doConditionalGet(ConditionalGet.java:46) at com.atlassian.crucible.spi.rpc.RestReviewService.getReview(RestReviewService.java:360) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.jersey.impl.model.method.dispatch.EntityParamDispatchProvider$ResponseOutInvoker._dispatch(EntityParamDispatchProvider.java:156) at com.sun.jersey.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:85) at com.sun.jersey.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:123) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:71) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:63) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:722) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:692) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:344) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1144) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.crucible.filters.CrucibleFilter.doFilter(CrucibleFilter.java:140) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.TotalityFilter.doFilter(TotalityFilter.java:192) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81) at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:129) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.ProductInfoFilter.doFilter(ProductInfoFilter.java:32) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.UpfrontFilter.doFilter(UpfrontFilter.java:39) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206) at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450) </stacktrace></error> {code}

    Atlassian JIRA | 8 years ago | Wojciech Seliga
    com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12
  2. 0

    Take a look at sample XML response for an arbitrary review, when user tries to fetch data without any authentication. In case of public servers and malicious users, I don't think that exposing stack trace makes sense when we have "access denied". Now anonymous users know a lot of underlying stack (jetty, spring, jersey, etc.) and could theoretically use this knowledge to easier prepare an exploit. {code:xml} <?xml version='1.0' encoding='UTF-8'?> <error> <code>NotPermitted</code> <message>You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12</message> <stacktrace>com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12 at com.atlassian.crucible.spi.impl.DefaultReviewService.requireReviewPermission(DefaultReviewService.java:1240) at com.atlassian.crucible.spi.impl.DefaultReviewService.getReview(DefaultReviewService.java:359) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:362) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:361) at com.atlassian.crucible.spi.rpc.ConditionalGet.doConditionalGet(ConditionalGet.java:46) at com.atlassian.crucible.spi.rpc.RestReviewService.getReview(RestReviewService.java:360) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.jersey.impl.model.method.dispatch.EntityParamDispatchProvider$ResponseOutInvoker._dispatch(EntityParamDispatchProvider.java:156) at com.sun.jersey.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:85) at com.sun.jersey.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:123) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:71) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:63) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:722) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:692) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:344) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1144) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.crucible.filters.CrucibleFilter.doFilter(CrucibleFilter.java:140) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.TotalityFilter.doFilter(TotalityFilter.java:192) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81) at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:129) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.ProductInfoFilter.doFilter(ProductInfoFilter.java:32) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.UpfrontFilter.doFilter(UpfrontFilter.java:39) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206) at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450) </stacktrace></error> {code}

    Atlassian JIRA | 8 years ago | Wojciech Seliga
    com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12

    Root Cause Analysis

    1. com.atlassian.crucible.spi.services.NotPermittedException

      You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12

      at com.atlassian.crucible.spi.impl.DefaultReviewService.requireReviewPermission()
    2. com.atlassian.crucible
      RestReviewService.getReview
      1. com.atlassian.crucible.spi.impl.DefaultReviewService.requireReviewPermission(DefaultReviewService.java:1240)
      2. com.atlassian.crucible.spi.impl.DefaultReviewService.getReview(DefaultReviewService.java:359)
      3. com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:362)
      4. com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:361)
      5. com.atlassian.crucible.spi.rpc.ConditionalGet.doConditionalGet(ConditionalGet.java:46)
      6. com.atlassian.crucible.spi.rpc.RestReviewService.getReview(RestReviewService.java:360)
      6 frames
    3. Java RT
      Method.invoke
      1. sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      2. sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      3. sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      4. java.lang.reflect.Method.invoke(Method.java:585)
      4 frames
    4. com.sun.jersey
      WebApplicationImpl.handleRequest
      1. com.sun.jersey.impl.model.method.dispatch.EntityParamDispatchProvider$ResponseOutInvoker._dispatch(EntityParamDispatchProvider.java:156)
      2. com.sun.jersey.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:85)
      3. com.sun.jersey.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:123)
      4. com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111)
      5. com.sun.jersey.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:71)
      6. com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111)
      7. com.sun.jersey.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:63)
      8. com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:722)
      9. com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:692)
      9 frames
    5. Jersey
      ServletContainer.service
      1. com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:344)
      1 frame
    6. JavaServlet
      HttpServlet.service
      1. javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      1 frame
    7. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
      2. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1144)
      2 frames
    8. Spring
      OncePerRequestFilter.doFilter
      1. org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
      2. org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      2 frames
    9. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    10. com.cenqua.crucible
      CrucibleFilter.doFilter
      1. com.cenqua.crucible.filters.CrucibleFilter.doFilter(CrucibleFilter.java:140)
      1 frame
    11. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    12. com.cenqua.fisheye
      TotalityFilter.doFilter
      1. com.cenqua.fisheye.web.filters.TotalityFilter.doFilter(TotalityFilter.java:192)
      1 frame
    13. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    14. com.atlassian.security
      TrustedApplicationsFilter.doFilter
      1. com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98)
      1 frame
    15. Spring
      DelegatingFilterProxy.doFilter
      1. org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
      2. org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      2 frames
    16. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    17. Jetty Util
      GzipFilter.doFilter
      1. org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
      2. org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:129)
      2 frames
    18. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    19. com.cenqua.fisheye
      ProductInfoFilter.doFilter
      1. com.cenqua.fisheye.web.filters.ProductInfoFilter.doFilter(ProductInfoFilter.java:32)
      1 frame
    20. Jetty Server
      ServletHandler$Chain.doFilter
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      1 frame
    21. com.cenqua.fisheye
      UpfrontFilter.doFilter
      1. com.cenqua.fisheye.web.filters.UpfrontFilter.doFilter(UpfrontFilter.java:39)
      1 frame
    22. Jetty Server
      SelectChannelEndPoint.run
      1. org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136)
      2. org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
      3. org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
      4. org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
      5. org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
      6. org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
      7. org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
      8. org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
      9. org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
      10. org.mortbay.jetty.Server.handle(Server.java:324)
      11. org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
      12. org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
      13. org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
      14. org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
      15. org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
      16. org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
      16 frames
    23. Jetty Util
      BoundedThreadPool$PoolThread.run
      1. org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
      1 frame