[Building Sakai] [Using Sakai] user login reverts to admin user
David Horwitz
david.horwitz at uct.ac.za
Mon Aug 20 07:10:43 PDT 2012
Yes - you simply need to tweek your SecurityAdvisor implementation to
return true on the permissions you need (sounds like realm.upd in this
case).
The advantage of a security advisor is they expire at the end of the
thread.
D
On 08/20/2012 04:01 PM, David Wafula wrote:
> Thanks David. Will this code work when the current user session is
> not necessarily an admin? Take for instance, we have the following use
> case:
>
> When student A logs in Sakai, the system requests extra info from an
> external students system, e.g the official courses this student has
> enrolled for at the University, then auto-adds them as members to the
> course, if the course exists and they are not members there yet. And
> updates other info about the student too. This synchronization has to
> happen every time they log in. Auto-adding them as members needs
> admin privileges, so would this code work in this case ?
> Thanks.
>
>
> On Mon, Aug 20, 2012 at 3:52 PM, David Horwitz
> <david.horwitz at uct.ac.za <mailto:david.horwitz at uct.ac.za>> wrote:
>
> FYI The security advisor:
>
> https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html
>
>
> To set the advisor:
>
>
> //we need a security advisor
> SecurityAdvisor secAdvice = new SecurityAdvisor() {
> public SecurityAdvice isAllowed(String userId,
> String function, String reference) {
> log.debug("isAllowed( " + userId + ", " +
> function + ", " + reference);
> if
> (UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
> return SecurityAdvice.ALLOWED;
> } else if
> (AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
> return SecurityAdvice.ALLOWED;
> } else if
> (UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
> log.debug("advising user can delete users");
> return SecurityAdvice.ALLOWED;
> } else {
> return SecurityAdvice.NOT_ALLOWED;
> }
> }
> };
> securityService.pushAdvisor(secAdvice);
>
>
> and to clear it:
>
> SecurityAdvisor sa = securityService.popAdvisor();
>
>
>
> D
>
>
> On 08/20/2012 03:40 PM, David Wafula wrote:
>> That should explain it...we did some session calls somewhere...in
>> the code. Will correct it.
>>
>> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz
>> <david.horwitz at uct.ac.za <mailto:david.horwitz at uct.ac.za>> wrote:
>>
>> This sounds like somewhere something is setting the current
>> session user to admin. I would look at any code you run in
>> the login for something like:
>>
>> Session sakaiSession = sessionManager.getCurrentSession();
>> sakaiSession.setUserId("admin");
>> sakaiSession.setUserEid("admin");
>>
>> Code like this should not be called in any user thread,
>> SecurityAdvisors are a better bet ....
>>
>> D
>>
>>
>>
>> On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>>
>>> Hi All
>>>
>>> We’ve been experiencing a no. of random though isolated
>>> incidences of users unsuccessfully logging into Sakai( with
>>> their correct details ) but with their browser window
>>> immediately returning a screen which shows SAKAI admin
>>> user rights i.e they somehow manage to log into SAKAI as an
>>> admin! Obviously this poses a huge security breach for us.
>>> Has anyone else ever experienced this?
>>>
>>> This communication is intended for the addressee only. It is
>>> confidential. If you have received this communication in
>>> error, please notify us immediately and destroy the original
>>> message. You may not copy or disseminate this communication
>>> without the permission of the University. Only authorized
>>> signatories are competent to enter into agreements on behalf
>>> of the University and recipients are thus advised that the
>>> content of this message may not be legally binding on the
>>> University and may contain the personal views and opinions
>>> of the author, which are not necessarily the views and
>>> opinions of The University of the Witwatersrand,
>>> Johannesburg. All agreements between the University and
>>> outsiders are subject to South African Law unless the
>>> University agrees in writing to the contrary.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sakai-user mailing list
>>> sakai-user at collab.sakaiproject.org <mailto:sakai-user at collab.sakaiproject.org>
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>>
>>> TO UNSUBSCRIBE: send email tosakai-user-unsubscribe at collab.sakaiproject.org <mailto:sakai-user-unsubscribe at collab.sakaiproject.org> with a subject of "unsubscribe"
>>
>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> <mailto:sakai-dev at collab.sakaiproject.org>
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org
>> <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a
>> subject of "unsubscribe"
>>
>>
>>
>>
>> --
>> David Wafula
>
>
>
>
> --
> David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/807a957b/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15902 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/807a957b/attachment.png
More information about the sakai-dev
mailing list