[Building Sakai] question about admin privilege
Nuno Fernandes
nuno at ufp.edu.pt
Mon Jan 18 01:50:10 PST 2010
Hi Hai Vo,
The method call you referred is invoked by the SecurityService for every
security question asked to this service, and you should implement it to fit
your needs:
*userId* is the user involved on the security check. For example, if an user
tries to download a file, the userId will match this user.
*function* is the permission function being analyzed right now, you should
discard all (returning PASS, to let others decide on this) except for the
ones you are interested. Please check on AssignmentService for the
permission functions used: should be something close to the list below:
asn.all.groups
asn.delete
asn.grade
asn.new
asn.read
asn.receive.notifications
asn.revise
asn.share.drafts
asn.submit
*reference* is the reference that identifies the entity resource being
analyzed. You should check that this reference is related to Assignments,
possibly checking its prefix. This may identify an assignment or an
assignment submission, for example. A reference string will look like:
/assignment/s/4bca6cd5-97f2-4fce-b9cb-9649b9f227a7/b8e874f8-ea48-444a-89b7-56da213e2768/c28f545b-e6af-419c-8a82-0eec142a5550
The rule here is to return PASS for everything you don't want to chance the
security behavior. For your "special cases" you will return either ALLOWED
or NOT_ALLOWED.
Hope it helps,
Nuno
On Sat, Jan 16, 2010 at 10:56 PM, Hai Vo Thanh <v0thanhhai at yahoo.com> wrote:
> can you explain more about the SecurityAdvisor.
>
> SecurityAdvice isAllowed(String userId, String function, String reference);
>
> i thought it is used to check the current user can perform the function on
> the referenced Entity. What is the String function? what is the String
> reference? How to use it?
>
> i encountered a problem when i want to get the AssignmentSubmission by
> using the AssignmentService. a normal user can not get it - a internal error
> occoured, but when i grant the user admin role, he can get the
> AssignmentSubmission. I need something to trigger a user to admin before i
> get the AssignmentSubmission and then trigger off.
> Thanks and regards
> -----------------
> Hai Vo
>
> ------------------------------
> *From:* Nuno Fernandes <nuno at ufp.edu.pt>
> *To:* Stephen Marquard <stephen.marquard at uct.ac.za>
> *Cc:* Hai Vo Thanh <v0thanhhai at yahoo.com>;
> sakai-dev at collab.sakaiproject.org
> *Sent:* Fri, January 15, 2010 11:59:24 PM
>
> *Subject:* Re: [Building Sakai] question about admin privilege
>
> Right!
>
> With a custom SecurityAdvisor, you can also grant/deny/pass access only for
> a specific set of permissions and/or entity references...
>
> Nuno
>
> On Fri, Jan 15, 2010 at 4:57 PM, Stephen Marquard <
> stephen.marquard at uct.ac.za> wrote:
>
>> There is also the option of using a SecurityAdvisor to permit the
>> current user to perform specific actions, rather than setting the user's
>> session to admin, which applies to any requests from that user while in
>> effect, and can lead to unintended security holes if the "admin-enabled"
>> action takes a while to execute, for example.
>>
>> Regards
>> Stephen
>>
>> >>> Nuno Fernandes <nuno at ufp.edu.pt> 1/15/2010 11:47 AM >>>
>> Hi Hai Vo,
>>
>> Are you trying to give admin privilege to a user on UI, or do you wish
>> to
>> perform an admin operation triggered by an user who don't have such
>> permission (eg, adding users to a site after an user (with access
>> role)
>> clicking on something on a tool page)?
>>
>> For the second case (done in code), you could probably use something
>> like:
>>
>> AdminExecution exec = new AdminExecution() {
>> @Override
>> public Object execution() throws Exception {
>> return performSakaiAdminOpAndReturnString();
>> }
>> };
>> try{
>> return (String) exec.execute();
>> }catch(Exception e){
>> log.error("Error while executing admin operation", e);
>> return null;
>> }
>>
>> where, *AdminExecution* is an abstract class:
>>
>> abstract class AdminExecution {
>> public AdminExecution() {};
>> public abstract Object execution() throws Exception;
>> public Object execute() throws Exception {
>> Object returnObject = null;
>> Session sakaiSession = sessionManager.getCurrentSession();
>> String currentUserId = sakaiSession.getUserId();
>> String currentUserEid = sakaiSession.getUserEid();
>> if(!"admin".equals(currentUserId)) {
>> // current user not admin
>> try {
>> sakaiSession.setUserId("admin");
>> sakaiSession.setUserEid("admin");
>> authGroupService.refreshUser("admin");
>> returnObject = execution();
>> } catch (Exception e) {
>> log.error("Error occurred while executing as Sakai Administrator",
>> e);
>> throw e;
>> } finally {
>> sakaiSession.setUserId(currentUserId);
>> sakaiSession.setUserEid(currentUserEid);
>> authGroupService.refreshUser(currentUserId);
>> }
>> }else{
>> // current user is admin
>> try {
>> returnObject = execution();
>> } catch (Exception e) {
>> log.error("Error occurred while executing as Sakai Administrator",
>> e);
>> throw e;
>> }
>> }
>> return returnObject;
>> }
>> }
>>
>> Hope it helps,
>> Nuno
>>
>> On Fri, Jan 15, 2010 at 8:48 AM, Hai Vo Thanh <v0thanhhai at yahoo.com>
>> wrote:
>>
>> > Dear all,
>> > is there any method that can set a user have admin privilege
>> temporally?
>> > Thanks.
>> > -----------
>> > Hai Vo
>> >
>> >
>> > _______________________________________________
>> > sakai-dev mailing list
>> > sakai-dev at collab.sakaiproject.org
>> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >
>> > TO UNSUBSCRIBE: send email to
>> > sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> > "unsubscribe"
>> >
>>
>>
>>
>> --
>> Nuno Fernandes
>>
>> Profile | http://facebook.com/nfgrilo |
>> http://linkedin.com/in/nfgrilo
>> Web | http://codingwithcoffee.com | http://twitter.com/nfgrilo
>> Work | Analyst/Programmer @ UFP-UV [http://elearning.ufp.pt]
>> | Analyst/Programmer @ Sakai Foundation [
>> http://sakaiproject.org]
>> | Sakai Fellow 2008 @ Sakai Foundation [
>> http://confluence.sakaiproject.org//x/6oCTAQ]
>> Address | Universidade Fernando Pessoa [http://www.ufp.pt]
>> | Praça 9 de Abril, 349 | 4249-004 Porto
>> | tel: + 351 22 507 13 00 | fax: + 351 22 550 82 69
>>
>>
>
>
> --
> Nuno Fernandes
>
> Profile | http://facebook.com/nfgrilo | http://linkedin.com/in/nfgrilo
> Web | http://codingwithcoffee.com | http://twitter.com/nfgrilo
> Work | Analyst/Programmer @ UFP-UV [http://elearning.ufp.pt]
> | Analyst/Programmer @ Sakai Foundation [
> http://sakaiproject.org]
> | Sakai Fellow 2008 @ Sakai Foundation [
> http://confluence.sakaiproject.org//x/6oCTAQ]
> Address | Universidade Fernando Pessoa [http://www.ufp.pt]
> | Praça 9 de Abril, 349 | 4249-004 Porto
> | tel: + 351 22 507 13 00 | fax: + 351 22 550 82 69
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
--
Nuno Fernandes
Profile | http://facebook.com/nfgrilo | http://linkedin.com/in/nfgrilo
Web | http://codingwithcoffee.com | http://twitter.com/nfgrilo
Work | Analyst/Programmer @ UFP-UV [http://elearning.ufp.pt]
| Analyst/Programmer @ Sakai Foundation [
http://sakaiproject.org]
| Sakai Fellow 2008 @ Sakai Foundation [
http://confluence.sakaiproject.org//x/6oCTAQ]
Address | Universidade Fernando Pessoa [http://www.ufp.pt]
| Praça 9 de Abril, 349 | 4249-004 Porto
| tel: + 351 22 507 13 00 | fax: + 351 22 550 82 69
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100118/9fd33f74/attachment.html
More information about the sakai-dev
mailing list