Chris Pike created FC-120:
-----------------------------
Summary: Fortress API allows any user role assignment if admin
session is null
Key: FC-120
URL: https://issues.apache.org/jira/browse/FC-120
Project: FORTRESS
Issue Type: Bug
Affects Versions: 1.0.0-RC41
Reporter: Chris Pike
Priority: Critical
This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a
null session is passed in it doesn't perform a canAssign check. It looks like
the setEntitySession method on line 568 of admin manager impl also does some
sort of check, but I can get around this by setting admin session to null in
admin manager.
//user the admin manager is acting on behalf of, that has no ARBAC permissions
User user = new User("testuser1");
Session session = new Session(user);
adminManager = AdminMgrFactory.createInstance(session);
adminManager.setAdmin(null);
UserRole userRole = new UserRole("fortress-web-super-user");
userRole.setUserId("testuser1");
adminManager.assignUser(userRole);
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
