directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Pike (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FC-120) Fortress API allows any user role assignment if admin session is null
Date Wed, 16 Sep 2015 17:44:45 GMT
Chris Pike created FC-120:
-----------------------------

             Summary: Fortress API allows any user role assignment if admin session is null
                 Key: FC-120
                 URL: https://issues.apache.org/jira/browse/FC-120
             Project: FORTRESS
          Issue Type: Bug
    Affects Versions: 1.0.0-RC41
            Reporter: Chris Pike
            Priority: Critical


This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a null session
is passed in it doesn't perform a canAssign check. It looks like the setEntitySession method
on line 568 of admin manager impl also does some sort of check, but I can get around this
by setting admin session to null in admin manager. 

//user the admin manager is acting on behalf of, that has no ARBAC permissions
User user = new User("testuser1");	
Session session = new Session(user);		
adminManager = AdminMgrFactory.createInstance(session);
adminManager.setAdmin(null);
UserRole userRole = new UserRole("fortress-web-super-user");
userRole.setUserId("testuser1");
adminManager.assignUser(userRole);



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message