[jboss-jira] [JBoss JIRA] Commented: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
Sohil Shah (JIRA)
jira-events at lists.jboss.org
Mon Nov 26 18:05:19 EST 2007
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=comments#action_12389213 ]
Sohil Shah commented on JBPORTAL-1740:
--------------------------------------
>Why does the security console need to have separate access rights? Aren't the access rights for the CMS admin console enough?
No. not true for all cms usages. Access to the security console (one that lets you setup permissions) must be different from the permission to access the cms admin console to modify cms content.
Typical usecase being:
1/ A portal that is setup with very fine permissions to modify cms content including allowing Anonymous users to access publicly accessible cms documents. Think wiki like document sharing capabilities. However, the security console of
the cms tool should not be accessible to Anonymous users.
I agree that there needs to be flexibility for the end users to specify which Role of users should be allowed to access the security console instead of the built-in Portal Admin role. This issue will be fixed in this bug fix in 2.6.3.
For now, you will be able to specify a single Role that can access the security console. Maybe in a latter release we can provide ability to specify multiple Roles that can get access to the Security Console
Thanks for the feedback and the bug report
Sohil
> cms admin portlet checks for hardcoded role named 'admin'
> ---------------------------------------------------------
>
> Key: JBPORTAL-1740
> URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
> Project: JBoss Portal
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Portal CMS
> Affects Versions: 2.6.2 Final
> Reporter: Tobias Roth
> Assigned To: Sohil Shah
>
> See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
> I found another hardcoded use of 'admin'. The effect of having this is that even with the change I described above, permissions of cms nodes cannot be changed by users that are not in role called 'admin'.
> Why does the security console need to have separate access rights? Aren't the access rights for the CMS admin console enough?
> In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
> private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
> {
> try
> {
> boolean isAccessible = false;
> if (portletRequest.getUserPrincipal() != null)
> {
> User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
> Set roles = this.membershipModule.getRoles(user);
> if (roles != null)
> {
> for (Iterator itr = roles.iterator(); itr.hasNext();)
> {
> Role role = (Role)itr.next();
> if (role.getName().equalsIgnoreCase("admin"))
> {
> isAccessible = true;
> break;
> }
> }
> }
> }
> return isAccessible;
> }
> catch (Exception e)
> {
> return false;
> }
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list