From 121c0d1bf2b39e76b95af32901a19d08f7563d70 Mon Sep 17 00:00:00 2001 From: Eduard Heimbuch Date: Mon, 9 Nov 2020 16:04:54 +0100 Subject: [PATCH 1/2] fix race condition on authorization event processing which leads to permission mismatch --- CHANGELOG.md | 4 ++++ .../sonia/scm/security/AuthorizationChangedEventProducer.java | 2 +- .../sonia/scm/security/DefaultAuthorizationCollector.java | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99b640e468..695fa92aa3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +### Fixed +- Error on repository initialization with least-privilege user ([#1414](https://github.com/scm-manager/scm-manager/pull/1414)) + ## [2.9.0] - 2020-11-06 ### Added - Tracing api ([#1393](https://github.com/scm-manager/scm-manager/pull/#1393)) diff --git a/scm-webapp/src/main/java/sonia/scm/security/AuthorizationChangedEventProducer.java b/scm-webapp/src/main/java/sonia/scm/security/AuthorizationChangedEventProducer.java index c05fe849bb..259cabcd3d 100644 --- a/scm-webapp/src/main/java/sonia/scm/security/AuthorizationChangedEventProducer.java +++ b/scm-webapp/src/main/java/sonia/scm/security/AuthorizationChangedEventProducer.java @@ -140,7 +140,7 @@ public class AuthorizationChangedEventProducer { * * @param event repository event */ - @Subscribe + @Subscribe(async = false) public void onEvent(RepositoryEvent event) { if (event.getEventType().isPost()) { if (isModificationEvent(event)) { diff --git a/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java b/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java index fcd54bac7d..14b040a1a3 100644 --- a/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java +++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java @@ -295,7 +295,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector //J+ } - @Subscribe + @Subscribe(async = false) public void invalidateCache(AuthorizationChangedEvent event) { if (event.isEveryUserAffected()) { invalidateUserCache(event.getNameOfAffectedUser()); From 10ebae4822b806e76518a106683eb69ceb57c390 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 10 Nov 2020 21:57:28 +0000 Subject: [PATCH 2/2] fix: upgrade org.mockito:mockito-core from 3.5.13 to 3.5.15 Snyk has created this PR to upgrade org.mockito:mockito-core from 3.5.13 to 3.5.15. See this package in Maven Repository: https://mvnrepository.com/artifact/org.mockito/mockito-core/ See this project in Snyk: https://app.snyk.io/org/scm-manager/project/c575ed09-e310-44e7-afc8-22b77c5873cf?utm_source=github&utm_medium=upgrade-pr --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fa8eaab8d0..dbdce60fa7 100644 --- a/pom.xml +++ b/pom.xml @@ -903,7 +903,7 @@ - 3.5.13 + 3.5.15 2.1 5.7.0