[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3941) IdentityMaanger: extend permission checks to allow user to modify his own password
Raimund Hölle (JIRA)
jira-events at lists.jboss.org
Sun Feb 8 07:35:44 EST 2009
IdentityMaanger: extend permission checks to allow user to modify his own password
----------------------------------------------------------------------------------
Key: JBSEAM-3941
URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
Reporter: Raimund Hölle
Priority: Minor
Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
But granting that means, the user is able to modify _any_ user.
I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
public boolean changePassword(String name, String password) {
Identity identity = Identity.instance();
try {
identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
} catch (AuthorizationException e) {
if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
} else {
throw e;
}
}
return identityStore.changePassword(name, password);
}
Or maybe a specialized method?
Many regards,
Raimund
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list