[
https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Pike closed FC-120.
-------------------------
Resolution: Fixed
Not an issue, just a misunderstanding of how API handles ARBAC checks.
> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
> Key: FC-120
> URL: https://issues.apache.org/jira/browse/FC-120
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.0-RC42
> Reporter: Chris Pike
> Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a
> null session is passed in it doesn't perform a canAssign check. It looks like
> the setEntitySession method on line 568 of admin manager impl also does some
> sort of check, but I can get around this by setting admin session to null in
> admin manager.
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");
> Session session = new Session(user);
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
