[ http://jira.codehaus.org/browse/CONTINUUM-935?page=all ]
Jesse McConnell updated CONTINUUM-935:
--------------------------------------
Component/s: Web - Security
while this is indicated on the acegi-branch its something that should to
checked that it is covered to a large enough degree by the plexus-security
integration
> Conflict between manageUsers and admin roles
> --------------------------------------------
>
> Key: CONTINUUM-935
> URL: http://jira.codehaus.org/browse/CONTINUUM-935
> Project: Continuum
> Issue Type: Bug
> Components: Web - Security
> Affects Versions: 1.1
> Environment: acegi branch
> Reporter: Carlos Sanchez
> Assigned To: Lester Ecarma
> Priority: Critical
>
> An user with manageUsers role should not be able to assign the admin role to
> anybody.
> The problem expands to any role, i think the solution should be implemented
> in UserManager
> When getting the list of available groups for adding to an user it must not
> return groups that have roles that the current user does not have. This must
> be checked in the method that adds an user to a group too.
> When adding roles to an user group, only the roles of the current user can be
> added, to avoid people adding roles to their groups.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
