[
https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14803051#comment-14803051
]
Chris Pike commented on FC-120:
-------------------------------
Not sure I am following... if the caller doesn't set the admin session and the
adminmgr method can't perform the ARBAC check, shouldn't that result in a
security exception instead of letting the assignment happen?
The AdminUtil.canAssign method returns true (doesn't throw exception) if the
passed in admin session is null...
> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
> Key: FC-120
> URL: https://issues.apache.org/jira/browse/FC-120
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.0-RC41
> Reporter: Chris Pike
> Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a
> null session is passed in it doesn't perform a canAssign check. It looks like
> the setEntitySession method on line 568 of admin manager impl also does some
> sort of check, but I can get around this by setting admin session to null in
> admin manager.
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");
> Session session = new Session(user);
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
