Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Mark targetDomainObject as @Nullable in PermissionEvaluator

Browse Source 
Closes: gh-18259

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
This commit is contained in:
Andrey Litvitski
2026-02-24 18:56:28 +03:00
committed by Rob Winch
parent d31ca7a758
commit 6d4726bfb7
3 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
acl/src/main/java/org/springframework/security/acls/AclPermissionEvaluator.java
+2 -1
View File
@@ -23,6 +23,7 @@ import java.util.Locale;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.jspecify.annotations.Nullable;
import org.springframework.core.log.LogMessage; import org.springframework.core.log.LogMessage;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
@@ -73,7 +74,7 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
* be overridden using a null check in the expression itself). * be overridden using a null check in the expression itself).
*/ */
@Override @Override
public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) { public boolean hasPermission(Authentication authentication, @Nullable Object domainObject, Object permission) {
if (domainObject == null) { if (domainObject == null) {
return false; return false;
} }
core/src/main/java/org/springframework/security/access/PermissionEvaluator.java
+3 -1
View File
@@ -18,6 +18,8 @@ package org.springframework.security.access;
import java.io.Serializable; import java.io.Serializable;
import org.jspecify.annotations.Nullable;
import org.springframework.aop.framework.AopInfrastructureBean; import org.springframework.aop.framework.AopInfrastructureBean;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
@@ -39,7 +41,7 @@ public interface PermissionEvaluator extends AopInfrastructureBean {
* expression system. Not null. * expression system. Not null.
* @return true if the permission is granted, false otherwise * @return true if the permission is granted, false otherwise
*/ */
boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission); boolean hasPermission(Authentication authentication, @Nullable Object targetDomainObject, Object permission);
/** /**
* Alternative method for evaluating a permission where only the identifier of the * Alternative method for evaluating a permission where only the identifier of the
core/src/main/java/org/springframework/security/access/expression/DenyAllPermissionEvaluator.java
+2 -1
View File
@@ -20,6 +20,7 @@ import java.io.Serializable;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.jspecify.annotations.Nullable;
import org.springframework.core.log.LogMessage; import org.springframework.core.log.LogMessage;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
@@ -40,7 +41,7 @@ public class DenyAllPermissionEvaluator implements PermissionEvaluator {
* @return false always * @return false always
*/ */
@Override @Override
public boolean hasPermission(Authentication authentication, Object target, Object permission) { public boolean hasPermission(Authentication authentication, @Nullable Object target, Object permission) {
this.logger.warn(LogMessage.format("Denying user %s permission '%s' on object %s", authentication.getName(), this.logger.warn(LogMessage.format("Denying user %s permission '%s' on object %s", authentication.getName(),
permission, target)); permission, target));
return false; return false;