[Building Sakai] question about admin privilege

Hai Vo Thanh v0thanhhai at yahoo.com
Sat Jan 16 14:56:20 PST 2010 

can you explain more about the SecurityAdvisor.

SecurityAdvice isAllowed(String userId, String function, String reference);

i thought it is used to check the current user can perform the function on the referenced Entity. What is the String function? what is the String reference? How to use it?

i encountered a problem when i want to get the AssignmentSubmission by using the AssignmentService. a normal user can not get it - a internal error occoured, but when i grant the user admin role, he can get the AssignmentSubmission. I need something to trigger a user to admin before i get the AssignmentSubmission and then trigger off.
Thanks and regards
-----------------
Hai Vo




________________________________
From: Nuno Fernandes <nuno at ufp.edu.pt>
To: Stephen Marquard <stephen.marquard at uct.ac.za>
Cc: Hai Vo Thanh <v0thanhhai at yahoo.com>; sakai-dev at collab.sakaiproject.org
Sent: Fri, January 15, 2010 11:59:24 PM
Subject: Re: [Building Sakai] question about admin privilege

Right!

With a custom SecurityAdvisor, you can also grant/deny/pass access only for a specific set of permissions and/or entity references...

Nuno


On Fri, Jan 15, 2010 at 4:57 PM, Stephen Marquard <stephen.marquard at uct.ac.za> wrote:

>
>There is also the option of using a SecurityAdvisor to permit the
>>current user to perform specific actions, rather than setting the user's
>>session to admin, which applies to any requests from that user while in
>>effect, and can lead to unintended security holes if the "admin-enabled"
>>action takes a while to execute, for example.
>
>>Regards
>>Stephen
>
>>>>> Nuno Fernandes <nuno at ufp.edu.pt> 1/15/2010 11:47 AM >>>
>
>Hi Hai Vo,
>
>>Are you trying to give admin privilege to a user on UI, or do you wish
>>to
>>perform an admin operation triggered by an user who don't have such
>>permission (eg, adding users to a site after an user (with access
>>role)
>>clicking on something on a tool page)?
>
>>For the second case (done in code), you could probably use something
>>like:
>
>>    AdminExecution exec = new AdminExecution() {
>>        @Override
>>        public Object execution() throws Exception {
>>            return performSakaiAdminOpAndReturnString();
>>        }
>>    };
>>    try{
>>        return (String) exec.execute();
>>    }catch(Exception e){
>>        log.error("Error while executing admin operation", e);
>>        return null;
>>    }
>
>>where, *AdminExecution* is an abstract class:
>
>>abstract class AdminExecution {
>> public AdminExecution() {};
>>  public abstract Object execution() throws Exception;
>>  public Object execute() throws Exception {
>> Object returnObject = null;
>> Session sakaiSession = sessionManager.getCurrentSession();
>> String currentUserId = sakaiSession.getUserId();
>> String currentUserEid = sakaiSession.getUserEid();
>> if(!"admin".equals(currentUserId)) {
>> // current user not admin
>> try {
>> sakaiSession.setUserId("admin");
>> sakaiSession.setUserEid("admin");
>> authGroupService.refreshUser("admin");
>>  returnObject = execution();
>> } catch (Exception e) {
>> log.error("Error occurred while executing as Sakai Administrator",
>>e);
>> throw e;
>> } finally {
>> sakaiSession.setUserId(currentUserId);
>> sakaiSession.setUserEid(currentUserEid);
>> authGroupService.refreshUser(currentUserId);
>> }
>>  }else{
>> // current user is admin
>> try {
>> returnObject = execution();
>> } catch (Exception e) {
>> log.error("Error occurred while executing as Sakai Administrator",
>>e);
>> throw e;
>> }
>> }
>> return returnObject;
>> }
>> }
>
>>Hope it helps,
>>Nuno
>
>>On Fri, Jan 15, 2010 at 8:48 AM, Hai Vo Thanh <v0thanhhai at yahoo.com>
>>wrote:
>
>>> Dear all,
>>> is there any method that can set a user have admin privilege
>>temporally?
>>> Thanks.
>>> -----------
>>> Hai Vo
>>>
>>>
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to
>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>> "unsubscribe"
>>>
>
>
>
>>--
>>Nuno Fernandes
>
>>Profile    | http://facebook.com/nfgrilo |
>http://linkedin.com/in/nfgrilo
>>Web      | http://codingwithcoffee.com | http://twitter.com/nfgrilo
>>Work     | Analyst/Programmer @ UFP-UV [http://elearning.ufp.pt]
>>             | Analyst/Programmer @ Sakai Foundation [
>http://sakaiproject.org]
>>             | Sakai Fellow 2008 @ Sakai Foundation [
>http://confluence.sakaiproject.org//x/6oCTAQ]
>>Address | Universidade Fernando Pessoa  [http://www.ufp.pt]
>>             | Praça 9 de Abril, 349    | 4249-004 Porto
>>             | tel: + 351 22 507 13 00 | fax: + 351 22 550 82 69
>
>


-- 
Nuno Fernandes

Profile    | http://facebook.com/nfgrilo | http://linkedin.com/in/nfgrilo
Web      | http://codingwithcoffee.com | http://twitter.com/nfgrilo
Work     | Analyst/Programmer @ UFP-UV [http://elearning.ufp.pt]
             | Analyst/Programmer @ Sakai Foundation [http://sakaiproject.org]
             | Sakai Fellow 2008 @ Sakai Foundation [http://confluence.sakaiproject.org//x/6oCTAQ]
Address | Universidade Fernando Pessoa  [http://www.ufp.pt]
             | Praça 9 de Abril, 349    | 4249-004 Porto
             | tel: + 351 22 507 13 00 | fax: + 351 22 550 82 69



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100116/7233f735/attachment.html

More information about the sakai-dev mailing list