[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3941) IdentityMaanger: extend permission checks to allow user to modify his own password

[Raimund Hölle (JIRA)]

IdentityMaanger: extend permission checks to allow user to modify his own password
----------------------------------------------------------------------------------

                 Key: JBSEAM-3941
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
             Project: Seam
          Issue Type: Feature Request
          Components: Security
    Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
            Reporter: Raimund Hölle
            Priority: Minor


Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.

But granting that means, the user is able to modify _any_ user.

I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:

  public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
  
  public boolean changePassword(String name, String password) {
    Identity identity = Identity.instance();
    try {
      identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
    } catch (AuthorizationException e) {
      if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
        Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
      } else {
        throw e;
      }
    }
    return identityStore.changePassword(name, password);
  }

Or maybe a specialized method?

Many regards,
Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira