[seam-issues] [JBoss JIRA] Moved: (SEAMSECURITY-18) IdentityManager: extend permission checks to allow user to modify his own password

Shane Bryzak (JIRA) jira-events at lists.jboss.org
Tue Oct 26 19:33:54 EDT 2010 

     [ https://jira.jboss.org/browse/SEAMSECURITY-18?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shane Bryzak moved JBSEAM-3941 to SEAMSECURITY-18:
--------------------------------------------------

              Project: Seam Security  (was: Seam)
                  Key: SEAMSECURITY-18  (was: JBSEAM-3941)
    Affects Version/s:     (was: 2.1.1.CR1)
                           (was: 2.1.1.GA)
                           (was: 2.1.0.SP1)
                           (was: 2.1.1.CR2)
          Component/s:     (was: Security)


> IdentityManager: extend permission checks to allow user to modify his own password
> ----------------------------------------------------------------------------------
>
>                 Key: SEAMSECURITY-18
>                 URL: https://jira.jboss.org/browse/SEAMSECURITY-18
>             Project: Seam Security
>          Issue Type: Feature Request
>            Reporter: Raimund Hölle
>            Assignee: Shane Bryzak
>            Priority: Minor
>
> Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
> But granting that means, the user is able to modify _any_ user.
> I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
>   public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
>   
>   public boolean changePassword(String name, String password) {
>     Identity identity = Identity.instance();
>     try {
>       identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
>     } catch (AuthorizationException e) {
>       if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
>         Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
>       } else {
>         throw e;
>       }
>     }
>     return identityStore.changePassword(name, password);
>   }
> Or maybe a specialized method?
> Many regards,
> Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list