> On 十二月 25, 2018, 2:36 a.m., Don Bosco Durai wrote: > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java > > Line 211 (original), 211 (patched) > > <https://reviews.apache.org/r/69626/diff/2/?file=2116199#file2116199line211> > > > > Please verify. It seems, users would be able to provide higher role to > > himself/herself.
In 'updateRoles(userProfile.getId(),userProfile.getUserRoleList())', 'xUserMgr.checkAccessRoles(stringRolesList)' and 'rangerBizUtil.blockAuditorRoleUser()' will check access, so AuditorRole user and UserRole user can not update roles, will return 403 forbidden. - Qiang ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69626/#review211530 ----------------------------------------------------------- On 十二月 22, 2018, 3:59 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69626/ > ----------------------------------------------------------- > > (Updated 十二月 22, 2018, 3:59 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan > Neethiraj, Sailaja Polavarapu, sam rome, Venkat Ranganathan, and Velmurugan > Periasamy. > > > Bugs: RANGER-2312 > https://issues.apache.org/jira/browse/RANGER-2312 > > > Repository: ranger > > > Description > ------- > > Auditor role users cannot modify their personal user profile. > User role and KMSAuditor role users have the same problem. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 9e457826e > security-admin/src/main/webapp/scripts/views/user/UserProfileForm.js > 5ebd29048 > security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java > 202a113d8 > > > Diff: https://reviews.apache.org/r/69626/diff/2/ > > > Testing > ------- > > > Thanks, > > Qiang Zhang > >