[seam-issues] [JBoss JIRA] Moved: (SEAMSECURITY-18) IdentityManager: extend permission checks to allow user to modify his own password
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Tue Oct 26 19:33:54 EDT 2010
[ https://jira.jboss.org/browse/SEAMSECURITY-18?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak moved JBSEAM-3941 to SEAMSECURITY-18:
--------------------------------------------------
Project: Seam Security (was: Seam)
Key: SEAMSECURITY-18 (was: JBSEAM-3941)
Affects Version/s: (was: 2.1.1.CR1)
(was: 2.1.1.GA)
(was: 2.1.0.SP1)
(was: 2.1.1.CR2)
Component/s: (was: Security)
> IdentityManager: extend permission checks to allow user to modify his own password
> ----------------------------------------------------------------------------------
>
> Key: SEAMSECURITY-18
> URL: https://jira.jboss.org/browse/SEAMSECURITY-18
> Project: Seam Security
> Issue Type: Feature Request
> Reporter: Raimund Hölle
> Assignee: Shane Bryzak
> Priority: Minor
>
> Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.
> But granting that means, the user is able to modify _any_ user.
> I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:
> public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
>
> public boolean changePassword(String name, String password) {
> Identity identity = Identity.instance();
> try {
> identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
> } catch (AuthorizationException e) {
> if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
> Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
> } else {
> throw e;
> }
> }
> return identityStore.changePassword(name, password);
> }
> Or maybe a specialized method?
> Many regards,
> Raimund
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list