[
https://issues.jboss.org/browse/SEAMSECURITY-18?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shane Bryzak resolved SEAMSECURITY-18.
--------------------------------------
Resolution: Out of Date
IdentityManager has been removed
> IdentityManager: extend permission checks to allow user to modify his own
> password
> ----------------------------------------------------------------------------------
>
> Key: SEAMSECURITY-18
> URL: https://issues.jboss.org/browse/SEAMSECURITY-18
> Project: Seam Security
> Issue Type: Feature Request
> Reporter: Raimund Hölle
> Assignee: Shane Bryzak
> Priority: Minor
>
> Because IdentityManager.changePassword() requires the permission
> ("seam.user", "update"), it is not possible to use that method to change the
> password of the authenticated user itself without granting that permission to
> him.
> But granting that means, the user is able to modify _any_ user.
> I'm suggest to add a new permission target (or maybe a new action) and extend
> the changePassword() method:
> public static final String OWNPASSWORD_PERMISSION_NAME =
> "seam.user.ownpassword";
>
> public boolean changePassword(String name, String password) {
> Identity identity = Identity.instance();
> try {
> identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
> } catch (AuthorizationException e) {
> if ( identity.isLoggedIn() &&
> identity.getCredentials().getUsername().equals(name) ) {
> Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME,
> PERMISSION_UPDATE);
> } else {
> throw e;
> }
> }
> return identityStore.changePassword(name, password);
> }
> Or maybe a specialized method?
> Many regards,
> Raimund
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
