Uploaded image for project: 'Jackrabbit FileVault'
  1. Jackrabbit FileVault
  2. JCRVLT-515

AdminPermissionChecker should evaluate all principals bound to the Session

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.5.0
    • vlt
    • None

    Description

      Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the first principal is returned (in case it is backed by a real JCR user). Instead one should leverage org.apache.jackrabbit.api.security.principal.PrincipalManager to retrieve all principals bound to the session and check that at least one is the administrator.

      Attachments

        Issue Links

          causes

          New Feature - A new feature of the product, which has yet to be developed. OAK-9415 Allow access to all principals bound to the current session

          • Major - Major loss of function.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. JCRVLT-427 Allow installation of packages with hook for users without admin privileges

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #141

          Activity

            People

              kwin Konrad Windszus
              kwin Konrad Windszus
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: