[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
Tobias Roth (JIRA)
jira-events at lists.jboss.org
Wed Oct 10 05:41:05 EDT 2007
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even with the change I described above, permissions of cms nodes cannot be changed by users that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list