[Building Sakai] CourseManagementAdministration removeSectionMembership(..) ignores SecuityAdvisor ?

Steve Swinsburg steve.swinsburg at gmail.com
Wed Aug 22 13:33:45 PDT 2012 

Thats what I meant, to check for a permission. I was on my iPad ;)


On 22/08/2012, at 10:20 PM, Aaron Zeckoski <azeckoski at unicon.net> wrote:

> Code should not check for an advisor. It should just check a
> permission (or maybe super user). Checking for specific users or
> checking for advisors is not really safe.
> 
> -AZ
> 
> 
> On Wed, Aug 22, 2012 at 7:40 AM, Steve Swinsburg
> <steve.swinsburg at gmail.com> wrote:
>> It's possible that the code doesn't check for an advisor and just checks if you are admin. Whilst not the best, if it works then it is safe since the finally will always run. A bug should be filed on that code to check for an advisor though, if that is indeed the case.
>> 
>> Cheers,
>> Steve
>> 
>> Sent from my iPad
>> 
>> On 22/08/2012, at 19:44, David Wafula <davidwaf at gmail.com> wrote:
>> 
>>> Dear all,
>>> Using 2.8.0.
>>> 
>>> The following code ignores the use of SecurityAdvisor when calling
>>> CourseManagementAdministration.removeSectionMembership():
>>> 
>>> SecurityAdvisor localSecAdvisor=new SecurityAdvisor() {...}
>>> try{
>>> securityService.pushAdvisor( localSecAdvisor);
>>> courseManagementAdministration.removeSectionMembership(user.getEid(),
>>> sectionId)
>>> }finally{
>>> securityService.popAdvisor( localSecAdvisor);
>>> }
>>> 
>>> 
>>> but works with this :
>>> 
>>> Session localSakaiSession = null;
>>> User currentUser = null;
>>> try{
>>> 
>>>           currentUser = userDirectoryService.getCurrentUser();
>>>          localSakaiSession = sessionManager.getCurrentSession();
>>>           localSakaiSession.setUserId("admin");
>>>           localSakaiSession.setUserEid("admin");
>>> ...
>>> ...
>>> 
>>> }finally{
>>>          localSakaiSession.setUserEid(currentUser.getEid());
>>>           localSakaiSession.setUserId(currentUser.getId());
>>> }
>>> 
>>> 
>>> Is the try..finally safe when using
>>> localSakaiSession.setUserId("admin") etc ?
>>> 
>>> Thanks.
>>> --
>>> David Wafula
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>> 
>>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> 
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 
> 
> 
> -- 
> Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile

More information about the sakai-dev mailing list