ClaimRule - NullReferenceException if non existing object passed in URI
Closed this issue · 1 comments
mmnosek commented
Repro:
- Create page with IBound
Foo
data and permissionViewFoo
check at the top of definition. - Permission should require
Foo
as an argument in constructor - Add
ClaimRule
related to this permission, for instance:
authorizationRulesSource.AddRule(new ClaimRule<ViewFoo, SystemUserClaim>((claim, permission) => claim.SystemUser.Equals(permission.Foo.CreatedBy)));
- Try to access page above with wrong (but valid base64) argument
Actual behavior:
System.NullReferenceException: Object reference not set to an instance of an object.
at Sweoffshore.Checklist.Template.get_CreatedBy()
at ChecklistDesigner.Authorization.AuthEnforcementProvider.<>c.<InitializeAuthEnforcement>b__3_0(SystemUserClaim claim, ViewTemplate permission) in C:\Projects\SweOffshore\Sweoffshore\ChecklistDesigner\Authorization\AuthEnforcementProvider.cs:line 33
at Starcounter.Authorization.Core.Rules.ClaimRule`2.<>c__DisplayClass2_0.<Evaluate>b__0(TClaim claim) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Core\Rules\ClaimRule.cs:line 24
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at Starcounter.Authorization.Core.Rules.ClaimRule`2.Evaluate(IEnumerable`1 claims, IAuthorizationEnforcement authorizationEnforcement, TPermission permission) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Core\Rules\ClaimRule.cs:line 24
at Starcounter.Authorization.Core.AuthorizationEnforcement.<>c__DisplayClass3_0`1.<CheckPermission>b__0(IAuthorizationRule`1 rule) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Core\AuthorizationEnforcement.cs:line 24
at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source, Func`2 predicate)
at Starcounter.Authorization.Core.AuthorizationEnforcement.CheckPermission[TPermission](TPermission permission) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Core\AuthorizationEnforcement.cs:line 23
at Starcounter.Authorization.PageSecurity.PageSecurity.CheckClass(Type pageType, Object[] objects) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\PageSecurity\PageSecurity.cs:line 72
at Starcounter.Authorization.Routing.Middleware.SecurityMiddleware.Run(RoutingInfo routingInfo, Func`1 next) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Middleware\SecurityMiddleware.cs:line 26
at Starcounter.Authorization.Routing.Router.RunWithMiddleware(RoutingInfo routingInfo, IEnumerable`1 middlewares) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 78
at Starcounter.Authorization.Routing.Router.<>c__DisplayClass9_0.<RunWithMiddleware>b__0() in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 78
at Starcounter.Internal.TransactionManager.Scope[TResult](TransactionHandle handle, Func`1 func) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter\TransactionManager.cs:line 522
at Starcounter.Transaction.Scope[TResult](Func`1 func) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter\Transaction.cs:line 248
at ChecklistDesigner.Api.MasterPageMiddleware.Run(RoutingInfo routingInfo, Func`1 next) in C:\Projects\SweOffshore\Sweoffshore\ChecklistDesigner\Api\MasterPageMiddleware.cs:line 21
at Starcounter.Authorization.Routing.Router.RunWithMiddleware(RoutingInfo routingInfo, IEnumerable`1 middlewares) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 78
at Starcounter.Authorization.Routing.Router.<>c__DisplayClass9_0.<RunWithMiddleware>b__0() in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 78
at Starcounter.Db.<>c__DisplayClass43_0`1.<Scope>b__0() in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter\Db.cs:line 381
at Starcounter.Db.Scope(Action action, Boolean isReadOnly) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter\Db.cs:line 356
at Starcounter.Db.Scope[TResult](Func`1 func, Boolean isReadOnly) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter\Db.cs:line 381
at Starcounter.Authorization.Routing.Middleware.DbScopeMiddleware.Run(RoutingInfo routingInfo, Func`1 next) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Middleware\DbScopeMiddleware.cs:line 19
at Starcounter.Authorization.Routing.Router.RunWithMiddleware(RoutingInfo routingInfo, IEnumerable`1 middlewares) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 78
at Starcounter.Authorization.Routing.Router.RunResponse(Type pageType, Request request, String[] arguments) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 68
at Starcounter.Authorization.Routing.Router.<>c__DisplayClass6_0.<HandleGet>b__1(String arg, Request request) in C:\Projects\SweOffshore\Sweoffshore\authorization\Authorization\Routing\Router.cs:line 49
at lambda_method(Closure , Request , IntPtr , IntPtr )
at Starcounter.Rest.UserHandlerInfo.RunUserDelegate(Request req, IntPtr methodSpaceUriSpaceOnStack, IntPtr parametersInfoOnStack) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter.Rest\UriHandlersManager.cs:line 221
at Starcounter.Internal.Web.AppRestServer.RunDelegateAndProcessResponse(IntPtr methodSpaceUriSpaceOnStack, IntPtr parametersInfoOnStack, Request req) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter.Apps.JsonPatch\AppRestServer.cs:line 98
at Starcounter.Internal.AppsBootstrapper.ProcessExternalRequest(Request req) in C:\TeamCity\TeamCity10\buildAgent\work\sc-pnext-nightly-334\Level1\src\Starcounter.Apps.JsonPatch\AppsBootstrapper.cs:line 765
HResult=-2147467261
Expected behavior:
Not found page should be displayed.
I know, that I can check manually for null in the rule, but I would rather expect, that rule is executed only if given permission is valid and makes any sense (ViewFoo without Foo doesn't).
cc @joozek78