[jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3941) IdentityManager: extend permission checks to allow user to modify his own password
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Thu Apr 16 20:32:22 EDT 2009
[ https://jira.jboss.org/jira/browse/JBSEAM-3941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak reassigned JBSEAM-3941:
------------------------------------
Assignee: Shane Bryzak
> IdentityManager: extend permission checks to allow user to modify his own password
> ----------------------------------------------------------------------------------
>
> Key: JBSEAM-3941
> URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
> Project: Seam
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA
> Reporter: Raimund Hölle
> Assignee: Shane Bryzak
> Priority: Minor
>
> Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
> But granting that means, the user is able to modify _any_ user.
> I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
> public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
>
> public boolean changePassword(String name, String password) {
> Identity identity = Identity.instance();
> try {
> identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
> } catch (AuthorizationException e) {
> if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
> Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
> } else {
> throw e;
> }
> }
> return identityStore.changePassword(name, password);
> }
> Or maybe a specialized method?
> Many regards,
> Raimund
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list