[MAGNOLIA-4508] User manager is not handling removing (roles, groups) correctly Created: 08/Aug/12 Updated: 27/Aug/12 Resolved: 16/Aug/12 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | None |
| Fix Version/s: | 4.5.5 |
| Type: | Bug | Priority: | Major |
| Reporter: | Ondrej Chytil | Assignee: | Ondrej Chytil |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||
| Description |
|
Delegating user manager is calling remove methods in delegateUntilSupported which will call the method on first UM regardless if the user exists under it. Another issue - base RepositoryBackedSecurityManager.remove method is called in SystemContext. Current context should be used instead to respect permissions. |
| Comments |
| Comment by Ondrej Chytil [ 24/Aug/12 ] |
|
Remove method was done in system context previously. In that state user without proper access to users repository was able to call the method and remove group/role from any user's settings. Now the current context is used so the user must have write permissions to do so. If needed the method itself can be called from system context. |