[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3941) IdentityMaanger: extend permission checks to allow user to modify his own password

IdentityMaanger: extend permission checks to allow user to modify his own password ---------------------------------------------------------------------------------- Key: JBSEAM-3941 URL: https://jira.jboss.org/jira/browse/JBSEAM-3941 Project: Seam Issue Type: Feature Request Components: Security Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1 Reporter: Raimund Hölle Priority: Minor Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him. But granting that means, the user is able to modify _any_ user. I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method: public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword"; public boolean changePassword(String name, String password) { Identity identity = Identity.instance(); try { identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); } catch (AuthorizationException e) { if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) { Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE); } else { throw e; } } return identityStore.changePassword(name, password); } Or maybe a specialized method? Many regards, Raimund -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira