]
Shane Bryzak resolved SEAMSECURITY-18.
--------------------------------------
Resolution: Out of Date
IdentityManager has been removed
IdentityManager: extend permission checks to allow user to modify his
own password
----------------------------------------------------------------------------------
Key: SEAMSECURITY-18
URL:
https://issues.jboss.org/browse/SEAMSECURITY-18
Project: Seam Security
Issue Type: Feature Request
Reporter: Raimund Hölle
Assignee: Shane Bryzak
Priority: Minor
Because IdentityManager.changePassword() requires the permission ("seam.user",
"update"), it is not possible to use that method to change the password of the
authenticated user itself without granting that permission to him.
But granting that means, the user is able to modify _any_ user.
I'm suggest to add a new permission target (or maybe a new action) and extend the
changePassword() method:
public static final String OWNPASSWORD_PERMISSION_NAME =
"seam.user.ownpassword";
public boolean changePassword(String name, String password) {
Identity identity = Identity.instance();
try {
identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
} catch (AuthorizationException e) {
if ( identity.isLoggedIn() &&
identity.getCredentials().getUsername().equals(name) ) {
Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME,
PERMISSION_UPDATE);
} else {
throw e;
}
}
return identityStore.changePassword(name, password);
}
Or maybe a specialized method?
Many regards,
Raimund
--
This message is automatically generated by JIRA.
For more information on JIRA, see: