svn commit: r1178928 - /portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java

Tue, 04 Oct 2011 12:41:45 -0700 

Author: ate
Date: Tue Oct  4 19:41:23 2011
New Revision: 1178928

URL: http://svn.apache.org/viewvc?rev=1178928&view=rev
Log:
JS2-915: Provide admin roles security restriction on admin roles maintenance
Adding additional protection against modifying and deleting the admin role by 
non-admin users.
See: http://issues.apache.org/jira/browse/JS2-915

Modified:
    
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java

Modified: 
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java?rev=1178928&r1=1178927&r2=1178928&view=diff
==============================================================================
--- 
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
 (original)
+++ 
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/security/JetspeedPrincipalManagementPortlet.java
 Tue Oct  4 19:41:23 2011
@@ -2004,7 +2004,7 @@ public class JetspeedPrincipalManagement
                 boolean disableAdminEdit = true;
                 try
                 {
-                    if 
(!((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole) 
|| getPortletRequest().isUserInRole(adminRole))
+                    if (getPortletRequest().isUserInRole(adminRole) || 
!((RoleManager)getRoleManager()).isUserInRole(principal.getName(), adminRole))
                     {
                         disableAdminEdit = false;
                     }
@@ -2018,6 +2018,15 @@ public class JetspeedPrincipalManagement
                    return; 
                 }
             }
+            else if 
(principalType.getName().equals(JetspeedPrincipalType.ROLE))
+            {
+                String adminRole = 
getServiceLocator().getPortalConfiguration().getString(PortalConfigurationConstants.ROLES_DEFAULT_ADMIN);
+                if (principal.getName().equals(adminRole) && 
!getPortletRequest().isUserInRole(adminRole))
+                {                    
+                    // disallow maintenance on admin role
+                    return;
+                }
+            }
             tab = new AbstractTab(new Model("Status"))
             {
                 public Panel getPanel(String panelId)



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org

Reply via email to