[jira] Commented: (CONTINUUM-1147) Even if a user doesn't show a group in the group summary (because he doesn't have roles), he can access to the project group page and all other sub pages if he knows the url

Wed, 14 Feb 2007 10:11:45 -0800 

    [ 
http://jira.codehaus.org/browse/CONTINUUM-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_87606
 ] 

Jesse McConnell commented on CONTINUUM-1147:
--------------------------------------------


1) you ought to be able to get the securitySystem object in the 
ContinuumActionSupport base class injected, just add the @plexus.requirement on 
there and make sure the plexus-maven-plugin is putting it in the component 
declaration

2) I see a lot of isAuthenticationRequired() calls in that base class, I think 
a lot of these can be moved to be covered by the actions by implementing 
SecureAction and setting it to require authentication, then its not required 
for those helper methods anymore

3) you might want to look into using the prepare() method on the base class to 
populate the securitySession as well, not sure if that would work in all 
actions though since some might not require the authentication at all :/

4) I would recommend just taking a look at these comments and if they make 
sense to factor them into what you have and then commit, make sure the web 
tests still work though...this will require a healthy amount of testing :)  
Nice job though


> Even if a user doesn't show a group in the group summary (because he doesn't 
> have roles), he can access to the project group page and all other sub pages 
> if he knows the url
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CONTINUUM-1147
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1147
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>            Reporter: Maria Odea Ching
>         Assigned To: Emmanuel Venisse
>         Attachments: CONTINUUM-1147-continuum-webapp.patch, 
> CONTINUUM-1147-continuum.patch
>
>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to