4 년 전 · efb394d3b2
--- a/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java
+++ b/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java
@@ -93,11 +93,17 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 
				 				&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
			
 
				 			return;
			
 
				 		}
			
 
				-		// Not authorized by ACL ownership; try via adminstrative permissions
			
 
				-		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
			
 
				 
			
 
				 		// Iterate this principal's authorities to determine right
			
 
				 		Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
			
 
				+		if (acl.getOwner() instanceof GrantedAuthoritySid
			
 
				+				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
			
 
				+			return;
			
 
				+		}
			
 
				+
			
 
				+		// Not authorized by ACL ownership; try via adminstrative permissions
			
 
				+		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
			
 
				+
			
 
				 		if (authorities.contains(requiredAuthority.getAuthority())) {
			
 
				 			return;
			
 
				 		}
			
--- a/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java
+++ b/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java
@@ -31,6 +31,8 @@ import org.springframework.security.core.GrantedAuthority;
 
				 import org.springframework.security.core.authority.SimpleGrantedAuthority;
			
 
				 import org.springframework.security.core.context.SecurityContextHolder;
			
 
				 
			
 
				+import static org.mockito.BDDMockito.given;
			
 
				+
			
 
				 /**
			
 
				  * @author Rob Winch
			
 
				  *
			
@@ -66,6 +68,14 @@ public class AclAuthorizationStrategyImplTests {
 
				 		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
			
 
				 	}
			
 
				 
			
 
				+	// gh-9425
			
 
				+	@Test
			
 
				+	public void securityCheckWhenAclOwnedByGrantedAuthority() {
			
 
				+		given(this.acl.getOwner()).willReturn(new GrantedAuthoritySid("ROLE_AUTH"));
			
 
				+		this.strategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_SYSTEM_ADMIN"));
			
 
				+		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
			
 
				+	}
			
 
				+
			
 
				 	@SuppressWarnings("serial")
			
 
				 	class CustomAuthority implements GrantedAuthority {