diff options
author | Huang Zhw <huang_zhw@126.com> | 2021-03-26 19:10:01 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-26 14:10:01 +0300 |
commit | e138698e54e97bfaababf56507026bf92dd4deb4 (patch) | |
tree | 9546f312fda235d415cbb717f9d5eb660535f261 /src/pubsub.c | |
parent | db6655deb42d32374c71d00caf48efb63a13c2ec (diff) | |
download | redis-e138698e54e97bfaababf56507026bf92dd4deb4.tar.gz |
make processCommand check publish channel permissions. (#8534)
Add publish channel permissions check in processCommand.
processCommand didn't check publish channel permissions, so we can
queue a publish command in a transaction. But when exec the transaction,
it will fail with -NOPERM.
We also union keys/commands/channels permissions check togegher in
ACLCheckAllPerm. Remove pubsubCheckACLPermissionsOrReply in
publishCommand/subscribeCommand/psubscribeCommand. Always
check permissions in processCommand/execCommand/
luaRedisGenericCommand.
Diffstat (limited to 'src/pubsub.c')
-rw-r--r-- | src/pubsub.c | 18 |
1 files changed, 0 insertions, 18 deletions
diff --git a/src/pubsub.c b/src/pubsub.c index 5f7335bbe..3409deac2 100644 --- a/src/pubsub.c +++ b/src/pubsub.c @@ -331,21 +331,6 @@ int pubsubPublishMessage(robj *channel, robj *message) { return receivers; } -/* This wraps handling ACL channel permissions for the given client. */ -int pubsubCheckACLPermissionsOrReply(client *c, int idx, int count, int literal) { - /* Check if the user can run the command according to the current - * ACLs. */ - int acl_chanpos; - int acl_retval = ACLCheckPubsubPerm(c,idx,count,literal,&acl_chanpos); - if (acl_retval == ACL_DENIED_CHANNEL) { - addACLLogEntry(c,acl_retval,acl_chanpos,NULL); - addReplyError(c, - "-NOPERM this user has no permissions to access " - "one of the channels used as arguments"); - } - return acl_retval; -} - /*----------------------------------------------------------------------------- * Pubsub commands implementation *----------------------------------------------------------------------------*/ @@ -353,7 +338,6 @@ int pubsubCheckACLPermissionsOrReply(client *c, int idx, int count, int literal) /* SUBSCRIBE channel [channel ...] */ void subscribeCommand(client *c) { int j; - if (pubsubCheckACLPermissionsOrReply(c,1,c->argc-1,0) != ACL_OK) return; if ((c->flags & CLIENT_DENY_BLOCKING) && !(c->flags & CLIENT_MULTI)) { /** * A client that has CLIENT_DENY_BLOCKING flag on @@ -387,7 +371,6 @@ void unsubscribeCommand(client *c) { /* PSUBSCRIBE pattern [pattern ...] */ void psubscribeCommand(client *c) { int j; - if (pubsubCheckACLPermissionsOrReply(c,1,c->argc-1,1) != ACL_OK) return; if ((c->flags & CLIENT_DENY_BLOCKING) && !(c->flags & CLIENT_MULTI)) { /** * A client that has CLIENT_DENY_BLOCKING flag on @@ -420,7 +403,6 @@ void punsubscribeCommand(client *c) { /* PUBLISH <channel> <message> */ void publishCommand(client *c) { - if (pubsubCheckACLPermissionsOrReply(c,1,1,0) != ACL_OK) return; int receivers = pubsubPublishMessage(c->argv[1],c->argv[2]); if (server.cluster_enabled) clusterPropagatePublish(c->argv[1],c->argv[2]); |