[Building Sakai] Developer Helper Service
Stephen Marquard
stephen.marquard at uct.ac.za
Wed Sep 17 04:18:12 PDT 2014
If you look at the implementation of isSuperUser() in kernel-impl/src/main/java/org/sakaiproject/authz/impl/SakaiSecurity.java, it seems in theory you could achieve that with a securityadvisor by allowing SiteService.SECURE_UPDATE_SITE for /site/!admin.
In practice that method also does caching, so it seems like you could cache the results of that authz lookup which would persist after the SecurityAdvisor had gone away, which would obviously be undesireable.
The disadvantage of setting the user’s session temporarily to be admin is that the privilege applies to the whole session, so if the operation takes a long time, any other requests from the user will have admin rights. A small but possible exploitable window.
Regards
Stephen
---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037 Cell: +27-83-500-5290
From: Nguni Phakela [mailto:nguni52 at gmail.com]
Sent: 17 September 2014 01:01 PM
To: Stephen Marquard
Cc: Sakai Developers
Subject: Re: [Building Sakai] Developer Helper Service
Hi Stephen,
In CourseManagementAdministrationAuthzAdvisor.java there is this check
if(!securityService.isSuperUser()) {
if(log.isDebugEnabled()) log.debug("Denying access to CM Administration on method " + method);
throw new PermissionException("Only Sakai super-users (admins) can modify CM data");
}
edu-services-1.1.1/cm-service/cm-impl/hibernate-impl/impl/src/java/org/sakaiproject/coursemanagement/impl/aop/CourseManagementAdministrationAuthzAdvisor.java
So anytime you would like to create new sections you have to be a super admin.
Is there a way to do it without 'logging' in temporarily as an admin by using the SecurityAdvisor?
Cheers,
Nguni
--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52
On Wed, Sep 17, 2014 at 12:31 PM, Stephen Marquard <stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>> wrote:
Can you give an example?
Regards
Stephen
---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037<tel:%2B27-21-650-5037> Cell: +27-83-500-5290<tel:%2B27-83-500-5290>
From: Nguni Phakela [mailto:nguni52 at gmail.com<mailto:nguni52 at gmail.com>]
Sent: 17 September 2014 12:26 PM
To: Stephen Marquard
Cc: Sakai Developers
Subject: Re: [Building Sakai] Developer Helper Service
Hi Stephen,
In the case where the functionality can only be done by Super User, how does the security advisor handle that?
Cheers,
Nguni
--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52
On Wed, Sep 17, 2014 at 12:15 PM, Stephen Marquard <stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>> wrote:
You should probably avoid changing the current user’s session to admin at any time, for any reason.
Rather use a SecurityAdvisor to permit the actions which your code does on behalf of the user, and then clear it when done.
Regards
Stephen
---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037<tel:%2B27-21-650-5037> Cell: +27-83-500-5290<tel:%2B27-83-500-5290>
From: sakai-dev-bounces at collab.sakaiproject.org<mailto:sakai-dev-bounces at collab.sakaiproject.org> [mailto:sakai-dev-bounces at collab.sakaiproject.org<mailto:sakai-dev-bounces at collab.sakaiproject.org>] On Behalf Of Nguni Phakela
Sent: 17 September 2014 12:09 PM
To: Sakai Developers
Subject: [Building Sakai] Developer Helper Service
Hi,
I am using developer helper service. I am adding users to Sakai and also to a course via courseManagementAdministration.
I am using developerHelperService to become admin, and then I want to 'logout' the admin after by using restoreCurrentUser.
The user sees the login screen, however after successful authentication, they are logged in as admin, not using their account.
Is there a better way to do this, or how do I restore the previous session if there was no one logged in?
Cheers,
--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52
________________________________
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer published on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111<tel:%2B27%2021%20650%209111>. This e-mail is intended only for the person(s) to whom it is addressed. If the e-mail has reached you in error, please notify the author. If you are not the intended recipient of the e-mail you may not use, disclose, copy, redirect or print the content. If this e-mail is not related to the business of UCT it is sent by the sender in the sender's individual capacity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140917/9e3ce0ef/attachment.html
More information about the sakai-dev
mailing list