[MAGNOLIA-4508] User manager is not handling removing (roles, groups) correctly Created: 08/Aug/12  Updated: 27/Aug/12  Resolved: 16/Aug/12

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: None
Fix Version/s: 4.5.5

Type: Bug Priority: Major
Reporter: Ondrej Chytil Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Delegating user manager is calling remove methods in delegateUntilSupported which will call the method on first UM regardless if the user exists under it.

Another issue - base RepositoryBackedSecurityManager.remove method is called in SystemContext. Current context should be used instead to respect permissions.



 Comments   
Comment by Ondrej Chytil [ 24/Aug/12 ]

Remove method was done in system context previously. In that state user without proper access to users repository was able to call the method and remove group/role from any user's settings. Now the current context is used so the user must have write permissions to do so. If needed the method itself can be called from system context.

Generated at Mon Feb 12 03:56:27 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.