[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3941) IdentityManager: extend permission checks to allow user to modify his own password

IdentityManager: extend permission checks to allow user to modify his own password ---------------------------------------------------------------------------------- Key: JBSEAM-3941 URL: https://jira.jboss.org/jira/browse/JBSEAM-3941 Project: Seam Issue Type: Feature Request Components: Security Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA Reporter: Raimund Hölle Priority: Minor Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him. But granting that means, the user is able to modify _any_ user. I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method: public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword"; public boolean changePassword(String name, String password) { Identity identity = Identity.instance(); try { identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); } catch (AuthorizationException e) { if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) { Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE); } else { throw e; } } return identityStore.changePassword(name, password); } Or maybe a specialized method? Many regards, Raimund