You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2011/10/04 21:41:23 UTC
svn commit: r1178928 -
/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
Author: ate
Date: Tue Oct 4 19:41:23 2011
New Revision: 1178928
URL: http://svn.apache.org/viewvc?rev=1178928&view=rev
Log:
JS2-915: Provide admin roles security restriction on admin roles maintenance
Adding additional protection against modifying and deleting the admin role by non-admin users.
See: http://issues.apache.org/jira/browse/JS2-915
Modified:
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
Modified: portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java?rev=1178928&r1=1178927&r2=1178928&view=diff
==============================================================================
--- portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java (original)
+++ portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java Tue Oct 4 19:41:23 2011
@@ -2004,7 +2004,7 @@ public class JetspeedPrincipalManagement
boolean disableAdminEdit = true;
try
{
- if (!((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole) || getPortletRequest().isUserInRole(adminRole))
+ if (getPortletRequest().isUserInRole(adminRole) || !((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole))
{
disableAdminEdit = false;
}
@@ -2018,6 +2018,15 @@ public class JetspeedPrincipalManagement
return;
}
}
+ else if (principalType.getName().equals(JetspeedPrincipalType.ROLE))
+ {
+ String adminRole = getServiceLocator().getPortalConfiguration().getString(PortalConfigurationConstants.ROLES_DEFAULT_ADMIN);
+ if (principal.getName().equals(adminRole) && !getPortletRequest().isUserInRole(adminRole))
+ {
+ // disallow maintenance on admin role
+ return;
+ }
+ }
tab = new AbstractTab(new Model("Status"))
{
public Panel getPanel(String panelId)
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org