[
http://jira.nuxeo.org/browse/NXP-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=36933#action_36933
]
Olivier Grisel commented on NXP-2427:
-------------------------------------
Here is the proposed patch to AbstractSession:
diff --git
a/nuxeo-core/src/main/java/org/nuxeo/ecm/core/api/AbstractSession.java
b/nuxeo-core/src/main/java/org/nuxeo/ecm/core/api/AbstractSession.java
--- a/nuxeo-core/src/main/java/org/nuxeo/ecm/core/api/AbstractSession.java
+++ b/nuxeo-core/src/main/java/org/nuxeo/ecm/core/api/AbstractSession.java
@@ -78,6 +78,7 @@ import org.nuxeo.ecm.core.schema.Documen
import org.nuxeo.ecm.core.schema.DocumentType;
import org.nuxeo.ecm.core.schema.NXSchema;
import org.nuxeo.ecm.core.schema.types.Schema;
+import org.nuxeo.ecm.core.security.SecurityException;
import org.nuxeo.ecm.core.security.SecurityService;
import org.nuxeo.ecm.core.utils.SIDGenerator;
import org.nuxeo.ecm.core.versioning.DocumentVersion;
@@ -2309,15 +2310,11 @@ public abstract class AbstractSession im
}
protected boolean isAdministrator() {
- Principal principal = getPrincipal();
- if (SecurityConstants.ADMINISTRATOR.equals(principal.getName())) {
- return true;
- }
- if (principal instanceof NuxeoPrincipal) {
- return ((NuxeoPrincipal) principal).getGroups().contains(
- SecurityConstants.ADMINISTRATORS);
- }
- return false;
+ try {
+ return hasPermission(getSession().getRootDocument(), EVERYTHING);
+ } catch (Exception e) {
+ return false;
+ }
}
public void applyDefaultPermissions(String userOrGroupName)
> AbstractSession.isAdministrator() should not rely on hardcoded groupname by
> use the pluggable permission system
> ---------------------------------------------------------------------------------------------------------------
>
> Key: NXP-2427
> URL: http://jira.nuxeo.org/browse/NXP-2427
> Project: Nuxeo Enterprise Platform
> Issue Type: Bug
> Components: Core
> Affects Versions: 5.1.4, 5.2 M1
> Reporter: Olivier Grisel
> Assignee: Olivier Grisel
> Priority: Major
> Fix For: 5.1.5, 5.2 M2
>
> Original Estimate: 2 hours
> Remaining Estimate: 2 hours
>
> AbstractSession implementation sometimes uses an internal method
> isAdministrator() that tests whether the current principal name is
> 'Administrator' or if it belongs to a group with name 'administrators'.
> Performing security checks based on principal names is wrong since principal
> names can come from external source (such as LDAP or ActiveDirectory server)
> we have no control on.
> Instead we should use permission check that are pluggable thanks to the
> existing extension point.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
