[
https://issues.apache.org/jira/browse/JS2-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13115168#comment-13115168
]
Ate Douma commented on JS2-1100:
--------------------------------
I reviewed the current implementation, and while working partly, I found an
easier way to implement and complete this one, which happens to also solve
JS2-915 at the same time.
I'm using the current user its fully resolved (hierarchically even) principal
list, which is available from the Jetspeed wrapped UserSubjectPrincipal.
Having those, and when determined the current user does not have 'the' admin
role (determined from the PortalConfiguration),
the current user will only allowed to modify (both add and delete) principal
associations for a principal when itself has access (be assigned to) these
principals.
And, going even a bit further: I also disable editing *any* user principal
property/configuration when that user principal happens to be assigned this
admin role (except for admin role users itself).
That is: I *only* evaluate if the user principal as this admin role *directly*
assigned. So, not checking against possible hierarchical derived admin role
because that is very expensive and complex which we currently only do for a
logged in user itself.
Finally, while I was at it anyway, I've also cleaned up the "tabs" a bit by
renaming/replacing the "User Profile" tab for Roles and Groups to a new
"Status" tab,
and likewise splitted off the same functionality a new "Status" tab for Users
so the Users "User Profile" tab now really only provides "profile" management.
AFAIK, all works now as can be expected (as described above), and thereby
includes the requested functionality from JS2-915 too, automatically :)
> DeveloperBrowser-type portlets for delegated admin can be used to assign
> global admin role
> ------------------------------------------------------------------------------------------
>
> Key: JS2-1100
> URL: https://issues.apache.org/jira/browse/JS2-1100
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Admin Portlets
> Affects Versions: 2.2.0, 2.2.1
> Reporter: Paul Anderson
> Assignee: Ate Douma
> Labels: delegated, portlet, security
> Fix For: 2.2.2
>
>
> There is no way for a deployer to configure preset lists (or combinations) of
> allowed roles etc that a delegated administrator can assign to filtered
> users, or to filter out certain roles from the list of options available.
> (Also no way to set required attributes like language, which would be useful
> too).
> So a delegated admin can give users full global admin privileges. This makes
> the portlet unsuitable for production use.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org
