jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tobias Bocanegra (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2910) Please add JackrabbitSession.isAdmin()
Date Tue, 08 Mar 2011 18:19:59 GMT

    [ https://issues.apache.org/jira/browse/JCR-2910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004112#comment-13004112
] 

Tobias Bocanegra commented on JCR-2910:
---------------------------------------

i agree with jukka. Session.isAdmin() is not the correct way to enforce security since it's
not extendable. basically, all resources and services need to be subject to access control.
i'd rather add the respective policies like (rep:backup) and check against them than a vague
isAdmin() check.


> Please add JackrabbitSession.isAdmin()
> --------------------------------------
>
>                 Key: JCR-2910
>                 URL: https://issues.apache.org/jira/browse/JCR-2910
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>            Reporter: Thomas Mueller
>            Priority: Minor
>
> Currently finding out if the session user is an admin requires:
> JackrabbitSession js = (JackrabbitSession) session;
> User user = ((User) js.getUserManager().getAuthorizable(session.getUserID()));
> boolean isAdmin = user.isAdmin();
> Or: ((SessionImpl) session).isAdmin(). However casting to an implementation is problematic
for several reasons.
> I think it would make sense to add isAdmin() to the JackrabbitSession interface, so the
code above would be:
> ((JackrabbitSession) session).isAdmin()

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message