[Building Sakai] [Using Sakai] user login reverts to admin user
John Bush
john.bush at rsmart.com
Mon Aug 20 09:07:47 PDT 2012
Make sure you only return true for the permission(s) you need, not true all
the time, which would essentially be the same as setting the user to admin,
and you'll end up right back where you are now.
On Mon, Aug 20, 2012 at 7:10 AM, David Horwitz <david.horwitz at uct.ac.za>wrote:
> Yes - you simply need to tweek your SecurityAdvisor implementation to
> return true on the permissions you need (sounds like realm.upd in this
> case).
>
> The advantage of a security advisor is they expire at the end of the
> thread.
>
> D
>
> On 08/20/2012 04:01 PM, David Wafula wrote:
>
> Thanks David. Will this code work when the current user session is not
> necessarily an admin? Take for instance, we have the following use case:
>
> When student A logs in Sakai, the system requests extra info from an
> external students system, e.g the official courses this student has
> enrolled for at the University, then auto-adds them as members to the
> course, if the course exists and they are not members there yet. And
> updates other info about the student too. This synchronization has to
> happen every time they log in. Auto-adding them as members needs admin
> privileges, so would this code work in this case ?
> Thanks.
>
>
> On Mon, Aug 20, 2012 at 3:52 PM, David Horwitz <david.horwitz at uct.ac.za>wrote:
>
>> FYI The security advisor:
>>
>>
>> https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html
>>
>>
>> To set the advisor:
>>
>>
>> //we need a security advisor
>> SecurityAdvisor secAdvice = new SecurityAdvisor() {
>> public SecurityAdvice isAllowed(String userId, String
>> function, String reference) {
>> log.debug("isAllowed( " + userId + ", " + function +
>> ", " + reference);
>> if
>> (UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
>> return SecurityAdvice.ALLOWED;
>> } else if
>> (AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
>> return SecurityAdvice.ALLOWED;
>> } else if
>> (UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
>> log.debug("advising user can delete users");
>> return SecurityAdvice.ALLOWED;
>> } else {
>> return SecurityAdvice.NOT_ALLOWED;
>> }
>> }
>> };
>> securityService.pushAdvisor(secAdvice);
>>
>>
>> and to clear it:
>>
>> SecurityAdvisor sa = securityService.popAdvisor();
>>
>>
>>
>> D
>>
>>
>> On 08/20/2012 03:40 PM, David Wafula wrote:
>>
>> That should explain it...we did some session calls somewhere...in the
>> code. Will correct it.
>>
>> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz <david.horwitz at uct.ac.za>wrote:
>>
>>> This sounds like somewhere something is setting the current session
>>> user to admin. I would look at any code you run in the login for something
>>> like:
>>>
>>> Session sakaiSession = sessionManager.getCurrentSession();
>>> sakaiSession.setUserId("admin");
>>> sakaiSession.setUserEid("admin");
>>>
>>> Code like this should not be called in any user thread, SecurityAdvisors
>>> are a better bet ....
>>>
>>> D
>>>
>>>
>>>
>>> On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>>
>>> Hi All
>>>
>>>
>>>
>>> We’ve been experiencing a no. of random though isolated incidences of
>>> users unsuccessfully logging into Sakai( with their correct details ) but
>>> with their browser window immediately returning a screen which shows
>>> SAKAI admin user rights i.e they somehow manage to log into SAKAI as an
>>> admin! Obviously this poses a huge security breach for us. Has anyone else
>>> ever experienced this?
>>>
>>>
>>>
>>>
>>>
>>> This communication is intended for the addressee only. It is confidential. If you have received this communication in error, please notify us immediately and destroy the original message. You may not copy or disseminate this communication without the permission of the University. Only authorized signatories are competent to enter into agreements on behalf of the University and recipients are thus advised that the content of this message may not be legally binding on the University and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of The University of the Witwatersrand, Johannesburg. All agreements between the University and outsiders are subject to South African Law unless the University agrees in writing to the contrary.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sakai-user mailing listsakai-user at collab.sakaiproject.orghttp://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>>
>>> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>>
>>>
>>>
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to
>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>> "unsubscribe"
>>>
>>
>>
>>
>> --
>> David Wafula
>>
>>
>>
>
>
> --
> David Wafula
>
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
--
John Bush
602-490-0470
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/6f21aac0/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15902 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120820/6f21aac0/attachment.png
More information about the sakai-dev
mailing list