[jboss-jira] [JBoss JIRA] Updated: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=all ]
Sohil Shah updated JBPORTAL-1740:
---------------------------------
Fix Version/s: 2.6.3 Final
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
Fix For: 2.6.3 Final
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira