[Building Sakai] [Using Sakai] user login reverts to admin user

David Wafula davidwaf at gmail.com
Mon Aug 20 07:01:37 PDT 2012 

Thanks David. Will this code work when the current user  session is not
necessarily an admin? Take for instance, we have the following use case:

When student A logs in Sakai, the system requests extra info from an
external students system, e.g  the official courses this student has
enrolled for at the University, then auto-adds them as members to the
course, if the course exists and they are not members there yet. And
updates other info about the student too. This synchronization has to
happen every time they log in.  Auto-adding them as members needs admin
privileges, so would this code work in this case ?
Thanks.


On Mon, Aug 20, 2012 at 3:52 PM, David Horwitz <david.horwitz at uct.ac.za>wrote:

>  FYI The security advisor:
>
>
> https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html
>
>
> To set the advisor:
>
>
> //we need a security advisor
>             SecurityAdvisor secAdvice = new SecurityAdvisor() {
>                 public SecurityAdvice isAllowed(String userId, String
> function, String reference) {
>                     log.debug("isAllowed( " + userId + ", " + function +
> ", " + reference);
>                     if
> (UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
>                         return SecurityAdvice.ALLOWED;
>                     } else if
> (AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
>                         return SecurityAdvice.ALLOWED;
>                     } else if
> (UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
>                         log.debug("advising user can delete users");
>                         return SecurityAdvice.ALLOWED;
>                     } else {
>                         return SecurityAdvice.NOT_ALLOWED;
>                     }
>                 }
>             };
>             securityService.pushAdvisor(secAdvice);
>
>
> and to clear it:
>
> SecurityAdvisor sa = securityService.popAdvisor();
>
>
>
> D
>
>
> On 08/20/2012 03:40 PM, David Wafula wrote:
>
> That should explain it...we did some session calls somewhere...in the
> code. Will correct it.
>
> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz <david.horwitz at uct.ac.za>wrote:
>
>>  This sounds like somewhere something is setting the current session user
>> to admin. I would look at any code you run in the login for something like:
>>
>>  Session sakaiSession = sessionManager.getCurrentSession();
>>  sakaiSession.setUserId("admin");
>>  sakaiSession.setUserEid("admin");
>>
>> Code like this should not be called in any user thread, SecurityAdvisors
>> are a better bet ....
>>
>> D
>>
>>
>>
>> On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>
>>   Hi All
>>
>>
>>
>> We’ve been experiencing a no. of random though isolated incidences of
>> users unsuccessfully logging into Sakai( with their correct details ) but
>> with their browser window immediately  returning a screen which shows
>> SAKAI  admin user rights i.e they somehow manage to log into SAKAI as an
>> admin! Obviously this poses a huge security breach for  us. Has anyone else
>> ever experienced this?
>>
>>
>>
>>
>>
>> This communication is intended for the addressee only. It is confidential. If you have received this communication in error, please notify us immediately and destroy the original message. You may not copy or disseminate this communication without the permission of the University. Only authorized signatories are competent to enter into agreements on behalf of the University and recipients are thus advised that the content of this message may not be legally binding on the University and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of The University of the Witwatersrand, Johannesburg. All agreements between the University and outsiders are subject to South African Law unless the University agrees in writing to the contrary.
>>
>>
>>
>>
>>  _______________________________________________
>> sakai-user mailing listsakai-user at collab.sakaiproject.orghttp://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>
>> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>
>>
>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
>
>
>  --
> David Wafula
>
>
>


-- 
David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/28264d03/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15902 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/28264d03/attachment.png

More information about the sakai-dev mailing list