Lucee 7: Admin API with access=open fails

With a .CFConfig.json containing:

"security": {
    "access_read": "open",
    "access_write": "open"
  },

The following should work:

admin  action = "updateDatasource" ... password="";

However, instead it throws Cannot access, no password is defined.

lucee.runtime.exp.ExpressionException: Cannot access, no password is defined
  at lucee.runtime.config.ConfigServerImpl.checkAccess(ConfigServerImpl.java:1061)
  at lucee.runtime.config.ConfigWebImpl.getConfigServer(ConfigWebImpl.java:1507)
  at lucee.runtime.tag.Admin._doStartTag(Admin.java:575)
  at lucee.runtime.tag.Admin.doStartTag(Admin.java:356)

Looking at the code, there is logic that checks for the access tag and only checks password when access is “protected”. However, this admin tag trace is going direct to password check instead.

e.g. helper method that checks the access level: Lucee/core/src/main/java/lucee/runtime/config/ConfigUtil.java at 8adf43dfad3ed2d75526f34d7539bea96d392385 · lucee/Lucee · GitHub

But the following in Admin.java$_doStartTag() is triggering a password check via ConfigWebImpl.java$getConfigServer(Password password):

if (type == TYPE_SERVER) config = (ConfigPro) pageContext.getConfig().getConfigServer(password);

Can this be processed as a bug?

Hey @Dominic_Watson , The cfadmin tag always performs Server Admin password validation. For the updateDatasource action, if the password attribute is omitted or set to an empty string (""), the request fails with Cannot access, no password is defined before the action is executed.