You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2011/10/04 21:41:23 UTC

svn commit: r1178928 - /portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java

Author: ate
Date: Tue Oct  4 19:41:23 2011
New Revision: 1178928

URL: http://svn.apache.org/viewvc?rev=1178928&view=rev
Log:
JS2-915: Provide admin roles security restriction on admin roles maintenance
Adding additional protection against modifying and deleting the admin role by non-admin users.
See: http://issues.apache.org/jira/browse/JS2-915

Modified:
    portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java

Modified: portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java?rev=1178928&r1=1178927&r2=1178928&view=diff
==============================================================================
--- portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java (original)
+++ portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java Tue Oct  4 19:41:23 2011
@@ -2004,7 +2004,7 @@ public class JetspeedPrincipalManagement
                 boolean disableAdminEdit = true;
                 try
                 {
-                    if (!((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole) || getPortletRequest().isUserInRole(adminRole))
+                    if (getPortletRequest().isUserInRole(adminRole) || !((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole))
                     {
                         disableAdminEdit = false;
                     }
@@ -2018,6 +2018,15 @@ public class JetspeedPrincipalManagement
                    return; 
                 }
             }
+            else if (principalType.getName().equals(JetspeedPrincipalType.ROLE))
+            {
+                String adminRole = getServiceLocator().getPortalConfiguration().getString(PortalConfigurationConstants.ROLES_DEFAULT_ADMIN);
+                if (principal.getName().equals(adminRole) && !getPortletRequest().isUserInRole(adminRole))
+                {                    
+                    // disallow maintenance on admin role
+                    return;
+                }
+            }
             tab = new AbstractTab(new Model("Status"))
             {
                 public Panel getPanel(String panelId)



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org