[jboss-jira] [JBoss JIRA] Commented: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'

Tobias Roth (JIRA) jira-events at lists.jboss.org
Wed Oct 10 05:47:03 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=comments#action_12381368 ] 
            
Tobias Roth commented on JBPORTAL-1740:
---------------------------------------

Sorry, this is a duplicate for JBPORTAL-1733. I have more info in here though.

> cms admin portlet checks for hardcoded role named 'admin'
> ---------------------------------------------------------
>
>                 Key: JBPORTAL-1740
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal CMS
>    Affects Versions: 2.6.2 Final
>            Reporter: Tobias Roth
>         Assigned To: Sohil Shah
>
> See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
> I found another hardcoded use of 'admin'. The effect of having this is that even with the change I described above, permissions of cms nodes cannot be changed by users that are not in role called 'admin'.
> Why does the security console need to have separate access rights? Aren't the access rights for the CMS admin console enough?
> In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
>    private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
>    {
>       try
>       {
>          boolean isAccessible = false;
>          if (portletRequest.getUserPrincipal() != null)
>          {
>             User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
>             Set roles = this.membershipModule.getRoles(user);
>             if (roles != null)
>             {
>                for (Iterator itr = roles.iterator(); itr.hasNext();)
>                {
>                   Role role = (Role)itr.next();
>                   if (role.getName().equalsIgnoreCase("admin"))
>                   {
>                      isAccessible = true;
>                      break;
>                   }
>                }
>             }
>          }
>          return isAccessible;
>       }
>       catch (Exception e)
>       {
>          return false;
>       }
>    }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list