[jira] [Commented] (SLING-2113) Non admin members of the group GroupAdmin can not add members to the group UserAdmin

Fri, 01 Jul 2011 00:59:07 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-2113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13058245#comment-13058245
 ] 

Markus Joschko commented on SLING-2113:
---------------------------------------

Now that I think about it i's probably really a security thread if everybody 
who can admin groups can also potentially create users and add them to groups.
However I am looking for a way to allow delegated user administration. In my 
app the admin account is only used for technical administration (configuration, 
bundle updates etc) and all admininistrators of the application are normal 
users in the groups administrators, groupadmin, useradmin. They should be able 
to "self organize" -> add other users to the useradmin group. 
Would it make sense to at least allow users from the administrators group to 
add users to the useradmin group? 
 guess there is nothing that can be done on the SLING side as this is 
jackrabbit functionality. I always wanted to try out how hard it is to 
overwrite the ACPs.

> Non admin members of the group GroupAdmin can not add members to the group 
> UserAdmin
> ------------------------------------------------------------------------------------
>
>                 Key: SLING-2113
>                 URL: https://issues.apache.org/jira/browse/SLING-2113
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR Jackrabbit User Manager 2.1.0
>            Reporter: Markus Joschko
>            Priority: Minor
>
> A member of the GroupAdmin group should be able to add members to all groups. 
> That works fine except for the UserAdmin group. 
> There the addition fails if the user is not at the same time the admin user. 
> Jackrabbit is denying the rights for the property right. 
> 27.06.2011 14:45:48.874 *ERROR* [127.0.0.1 [1309178743836] POST 
> /system/userManager/group/UserAdmin.update.json HTTP/1.1] 
> org.apache.sling.jackrabbit.usermanager.impl.post.UpdateGroupServlet Failed 
> to update group. javax.jcr.AccessDeniedException: Permission denied.
>         at 
> org.apache.jackrabbit.core.ProtectedItemModifier.checkPermission(ProtectedItemModifier.java:175)
>         at 
> org.apache.jackrabbit.core.ProtectedItemModifier.setProperty(ProtectedItemModifier.java:126)
>         at 
> org.apache.jackrabbit.core.security.user.UserManagerImpl.setProtectedProperty(UserManagerImpl.java:696)
>         at 
> org.apache.jackrabbit.core.security.user.GroupImpl$PropertyBasedMembershipProvider.addMember(GroupImpl.java:392)
>         at 
> org.apache.jackrabbit.core.security.user.GroupImpl.addMember(GroupImpl.java:172)
>         at 
> org.apache.sling.jackrabbit.usermanager.impl.post.AbstractGroupPostServlet.updateGroupMembership(AbstractGroupPostServlet.java:88)
>         at 
> org.apache.sling.jackrabbit.usermanager.impl.post.UpdateGroupServlet.updateGroup(UpdateGroupServlet.java:149)
>         at 
> org.apache.sling.jackrabbit.usermanager.impl.post.UpdateGroupServlet.handleOperation(UpdateGroupServlet.java:107)
>         at 
> org.apache.sling.jackrabbit.usermanager.impl.post.AbstractPostServlet.doPost(AbstractPostServlet.java:88)
>         at 
> org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:148)
>         at 
> org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
>         at 
> org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
>         at 
> org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:491)
>         at 
> org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(SlingRequestProcessorImpl.java:273)
>         at 
> org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSlingFilterChain.java:49)
>         at 
> org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
>         at 
> org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter.doFilter(RequestProgressTrackerLogFilter.java:59)
>         at 
> org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
>         at 
> org.apache.sling.engine.impl.SlingRequestProcessorImpl.processRequest(SlingRequestProcessorImpl.java:163)
>         at 
> org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:187)
>         at 
> org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:96)
>         at 
> org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79)
>         at 
> org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42)
>         at 
> org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49)
>         at 
> org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to