Re: svn commit: r412987 - in /lenya/trunk/src: java/org/apache/lenya/cms/ac/usecases/ webapp/lenya/config/cocoon-xconf/usecases/admin/ webapp/lenya/usecases/admin/

Fri, 09 Jun 2006 05:30:03 -0700 

Jörn Nettingsmeier wrote:

[...]
one minor thing remains: the usecase handler for non-admin users still allows to set userId to arbitrary users. no security implication here, because they will be prompted for the password of the user accound they try to hijack, but still... 

Yes, I would be nice to check for the currently logged-in user.
as a java exercise, i hacked together an alternate version that uses an abstract class AbstractChangePassword that has all the common features, and two derived classes ChangePassword and ChangePasswordAdmin that each add their own extensions. (i chose to do it this way because each of these classes has features that the other hasn't, so there was no obvious way to do it with inheritance.) 

This sounds reasonable, and at the first glance your patch looks
very good. Maybe it would make sense to make

  AbstractChangePassword.getUser()

abstract. ChangePassword.getUser() would just return the currently
logged-in user, and AdminChangePassword() would return the user
determined by the userId parameter. WDYT?
could you comment on this? it might be a little over-engineered, but i want to get some hands-on experience regarding oo design.
a patch is attached, but it does not work, since i'm still stuck with another problem: i want the AbstractChangePassword to initialize "user" with the userId of the currently logged in user, but i can't seem to find out where to get that kind of information... i tried 
  Map objectModel = ContextHelper.getObjectModel(getContext());
  Request request = ObjectModelHelper.getRequest(objectModel);
  this.user = Identity.getIdentity(request.getSession(true)).getUser();
but that gives an npe since getContext returns null.


Strange, the same code is used in other usecases ...

BTW, an easier way to get the currently logged-in user from a usecase is:

  User user = getSession().getIdentity().getUser();


-- Andreas


--
Andreas Hartmann
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
[EMAIL PROTECTED]                     [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to