[jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3941) IdentityManager: extend permission checks to allow user to modify his own password

Shane Bryzak (JIRA) jira-events at lists.jboss.org
Thu Apr 16 20:32:22 EDT 2009 

     [ https://jira.jboss.org/jira/browse/JBSEAM-3941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shane Bryzak reassigned JBSEAM-3941:
------------------------------------

    Assignee: Shane Bryzak


> IdentityManager: extend permission checks to allow user to modify his own password
> ----------------------------------------------------------------------------------
>
>                 Key: JBSEAM-3941
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA
>            Reporter: Raimund Hölle
>            Assignee: Shane Bryzak
>            Priority: Minor
>
> Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
> But granting that means, the user is able to modify _any_ user.
> I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
>   public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
>   
>   public boolean changePassword(String name, String password) {
>     Identity identity = Identity.instance();
>     try {
>       identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
>     } catch (AuthorizationException e) {
>       if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
>         Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
>       } else {
>         throw e;
>       }
>     }
>     return identityStore.changePassword(name, password);
>   }
> Or maybe a specialized method?
> Many regards,
> Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list