directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <>
Subject [jira] [Commented] (FC-120) Fortress API allows any user role assignment if admin session is null
Date Thu, 17 Sep 2015 15:16:04 GMT


Shawn McKinney commented on FC-120:

No.  If the caller does not set the admin session then they are on their own and must explictly
call canAssign themselves before assignUser.

In other words we don't want to require a caller to pass ARBAC canAssign via direct invocation
to assignUser.  It's their choice.

> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>                 Key: FC-120
>                 URL:
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC41
>            Reporter: Chris Pike
>            Priority: Critical
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a null session
is passed in it doesn't perform a canAssign check. It looks like the setEntitySession method
on line 568 of admin manager impl also does some sort of check, but I can get around this
by setting admin session to null in admin manager. 
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");	
> Session session = new Session(user);		
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);

This message was sent by Atlassian JIRA

View raw message