Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-2427

AbstractSession.isAdministrator() should not rely on hardcoded groupname by use the pluggable permission system

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 5.1.4, 5.2 M1
    • Fix Version/s: 5.1.5, 5.2 M2
    • Component/s: Core

      Description

      AbstractSession implementation sometimes uses an internal method isAdministrator() that tests whether the current principal name is 'Administrator' or if it belongs to a group with name 'administrators'.

      Performing security checks based on principal names is wrong since principal names can come from external source (such as LDAP or ActiveDirectory server) we have no control on.

      Instead we should use permission check that are pluggable thanks to the existing extension point.

        Attachments

          Activity

            People

            • Assignee:
              ogrisel Olivier Grisel
              Reporter:
              ogrisel Olivier Grisel
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 hours
                2h
                Remaining:
                Remaining Estimate - 2 hours
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified