[
https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14803054#comment-14803054
]
Shawn McKinney commented on FC-120:
-----------------------------------
No. If the caller does not set the admin session then they are on their own
and must explictly call canAssign themselves before assignUser.
In other words we don't want to require a caller to pass ARBAC canAssign via
direct invocation to assignUser. It's their choice.
> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
> Key: FC-120
> URL: https://issues.apache.org/jira/browse/FC-120
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.0-RC41
> Reporter: Chris Pike
> Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a
> null session is passed in it doesn't perform a canAssign check. It looks like
> the setEntitySession method on line 568 of admin manager impl also does some
> sort of check, but I can get around this by setting admin session to null in
> admin manager.
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");
> Session session = new Session(user);
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
