[seam-issues] [JBoss JIRA] (SEAM-102) Discrepancies in User and Group management API in Seam Security 3

Discrepancies in User and Group management API in Seam Security 3 ----------------------------------------------------------------- Key: SEAM-102 URL: https://issues.jboss.org/browse/SEAM-102 Project: Seam 3 Distribution Issue Type: Bug Affects Versions: 3.0.0.Final Environment: Seam 3.1.0.Beta2 JBoss AS 7 Reporter: Luca Cavagnoli Priority: Minor The method: {code:java} Group groupName = pm.createGroup("Group name", "Group type"); {code} just adds a row in IdentityObject with the following values: {code:sql} ('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group type') {code} if IdentityObjectType doesn't already have a row with name = "Group type", the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of adding a new row in IdentityObjectType for the new group type. The method {code:java} PersistenceManager.createGroup(String groupName, String groupType) {code} can also be abused by creating a group with 'USER' as groupType, despite 'USER' was the identity object type chosen to represent users, not groups. The method {code:java} Collection<Group> PersistenceManager.findGroup(String groupType) {code} performs no check about the groupType parameter. One could invoke it as follows: {code:java} findGroup("USER") {code} and the result would be a list of groups which are actually users. 'USER' should be excluded from the list of types that are searched for. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira