directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FC-120) Fortress API allows any user role assignment if admin session is null
Date Thu, 17 Sep 2015 15:16:04 GMT

    [ https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14803054#comment-14803054
] 

Shawn McKinney commented on FC-120:
-----------------------------------

No.  If the caller does not set the admin session then they are on their own and must explictly
call canAssign themselves before assignUser.

In other words we don't want to require a caller to pass ARBAC canAssign via direct invocation
to assignUser.  It's their choice.

> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
>                 Key: FC-120
>                 URL: https://issues.apache.org/jira/browse/FC-120
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC41
>            Reporter: Chris Pike
>            Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a null session
is passed in it doesn't perform a canAssign check. It looks like the setEntitySession method
on line 568 of admin manager impl also does some sort of check, but I can get around this
by setting admin session to null in admin manager. 
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");	
> Session session = new Session(user);		
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message