AbstractSession.isAdministrator() should not rely on hardcoded groupname by use
the pluggable permission system
---------------------------------------------------------------------------------------------------------------
Key: NXP-2427
URL: http://jira.nuxeo.org/browse/NXP-2427
Project: Nuxeo Enterprise Platform
Issue Type: Bug
Components: Core
Affects Versions: 5.2 M1, 5.1.4
Reporter: Olivier Grisel
Assignee: Olivier Grisel
Priority: Major
Fix For: 5.1.5, 5.2 M2
AbstractSession implementation sometimes uses an internal method
isAdministrator() that tests whether the current principal name is
'Administrator' or if it belongs to a group with name 'administrators'.
Performing security checks based on principal names is wrong since principal
names can come from external source (such as LDAP or ActiveDirectory server) we
have no control on.
Instead we should use permission check that are pluggable thanks to the
existing extension point.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
