portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (Commented) (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Commented] (JS2-1100) DeveloperBrowser-type portlets for delegated admin can be used to assign global admin role
Date Tue, 27 Sep 2011 03:14:12 GMT

    [ https://issues.apache.org/jira/browse/JS2-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13115168#comment-13115168
] 

Ate Douma commented on JS2-1100:
--------------------------------

I reviewed the current implementation, and while working partly, I found an easier way to
implement and complete this one, which happens to also solve JS2-915 at the same time.

I'm using the current user its fully resolved (hierarchically even) principal list, which
is available from the Jetspeed wrapped UserSubjectPrincipal.
Having those, and when determined the current user does not have 'the' admin role (determined
from the PortalConfiguration),
the current user will only allowed to modify (both add and delete) principal associations
for a principal when itself has access (be assigned to) these principals. 

And, going even a bit further: I also disable editing *any* user principal property/configuration
when that user principal happens to be assigned this admin role (except for admin role users
itself).
That is: I *only* evaluate if the user principal as this admin role *directly* assigned. So,
not checking against possible hierarchical derived admin role because that is very expensive
and complex which we currently only do for a logged in user itself.

Finally, while I was at it anyway, I've also cleaned up the "tabs" a bit by renaming/replacing
the "User Profile" tab for Roles and Groups to a new "Status" tab,
and likewise splitted off the same functionality a new "Status" tab for Users so the Users
"User Profile" tab now really only provides "profile" management.

AFAIK, all works now as can be expected (as described above), and thereby includes the requested
functionality from JS2-915 too, automatically :)  
                
> DeveloperBrowser-type portlets for delegated admin can be used to assign global admin
role
> ------------------------------------------------------------------------------------------
>
>                 Key: JS2-1100
>                 URL: https://issues.apache.org/jira/browse/JS2-1100
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Admin Portlets
>    Affects Versions: 2.2.0, 2.2.1
>            Reporter: Paul Anderson
>            Assignee: Ate Douma
>              Labels: delegated, portlet, security
>             Fix For: 2.2.2
>
>
> There is no way for a deployer to configure preset lists (or combinations) of allowed
roles etc that a delegated administrator can assign to filtered users, or to filter out certain
roles from the list of options available. (Also no way to set required attributes like language,
which would be useful too).
> So a delegated admin can give users full global admin privileges. This makes the portlet
unsuitable for production use.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message