jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3010) Introduce new default group whose members can add contribute members to the userAdmin group
Date Tue, 19 Jul 2011 14:50:57 GMT

    [ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067757#comment-13067757
] 

angela commented on JCR-3010:
-----------------------------

the UserAccessControlProvider is a very simple implementation of the access control provider
interface. if you need additional logic i would suggest to use a different ac-provider that
allows to specify permission on a very fine grained level. extending the UserAccessControlProvider
is not worth the effort IMO.

> Introduce new default group whose members can add contribute members to the userAdmin
group
> -------------------------------------------------------------------------------------------
>
>                 Key: JCR-3010
>                 URL: https://issues.apache.org/jira/browse/JCR-3010
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core
>            Reporter: Markus Joschko
>            Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but
the admin to add users to the UserAdmin Group. 
> This makes delegated administration of users where the admin user is not available to
the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the
user-admin group, I'd like to ask to either allow members of the administrator group to add
user to that group or
>  to add an additional group user-group-assignee-group (maybe with a better name) with
that right.
> 460                     /*
> 461                     below group-tree:
> 462                     - test if the user is group-administrator.
> 463                     - make sure group-admin cannot modify user-admin or administrators
> 464                     - ... and cannot remove itself.
> 465                     */

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message