[Building Sakai] Developer Helper Service

Stephen Marquard stephen.marquard at uct.ac.za
Wed Sep 17 04:18:12 PDT 2014 

If you look at the implementation of isSuperUser() in kernel-impl/src/main/java/org/sakaiproject/authz/impl/SakaiSecurity.java, it seems in theory you could achieve that with a securityadvisor by allowing SiteService.SECURE_UPDATE_SITE for /site/!admin.

In practice that method also does caching, so it seems like you could cache the results of that authz lookup which would persist after the SecurityAdvisor had gone away, which would obviously be undesireable.

The disadvantage of setting the user’s session temporarily to be admin is that the privilege applies to the whole session, so if the operation takes a long time, any other requests from the user will have admin rights. A small but possible exploitable window.

Regards
Stephen

---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037 Cell: +27-83-500-5290

From: Nguni Phakela [mailto:nguni52 at gmail.com]
Sent: 17 September 2014 01:01 PM
To: Stephen Marquard
Cc: Sakai Developers
Subject: Re: [Building Sakai] Developer Helper Service

Hi Stephen,

In CourseManagementAdministrationAuthzAdvisor.java there is this check

if(!securityService.isSuperUser()) {
 if(log.isDebugEnabled()) log.debug("Denying access to CM Administration on method " + method);
    throw new PermissionException("Only Sakai super-users (admins) can modify CM data");
}


edu-services-1.1.1/cm-service/cm-impl/hibernate-impl/impl/src/java/org/sakaiproject/coursemanagement/impl/aop/CourseManagementAdministrationAuthzAdvisor.java

So anytime you would like to create new sections you have to be a super admin.

Is there a way to do it without 'logging' in temporarily as an admin by using the SecurityAdvisor?

Cheers,
Nguni

--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52

On Wed, Sep 17, 2014 at 12:31 PM, Stephen Marquard <stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>> wrote:
Can you give an example?

Regards
Stephen

---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037<tel:%2B27-21-650-5037> Cell: +27-83-500-5290<tel:%2B27-83-500-5290>

From: Nguni Phakela [mailto:nguni52 at gmail.com<mailto:nguni52 at gmail.com>]
Sent: 17 September 2014 12:26 PM
To: Stephen Marquard
Cc: Sakai Developers
Subject: Re: [Building Sakai] Developer Helper Service

Hi Stephen,

In the case where the functionality can only be done by Super User, how does the security advisor handle that?

Cheers,
Nguni

--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52

On Wed, Sep 17, 2014 at 12:15 PM, Stephen Marquard <stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>> wrote:
You should probably avoid changing the current user’s session to admin at any time, for any reason.

Rather use a SecurityAdvisor to permit the actions which your code does on behalf of the user, and then clear it when done.

Regards
Stephen

---
Stephen Marquard, Learning Technologies Co-ordinator,
Centre for Innovation in Learning and Teaching (CILT)
University of Cape Town
http://www.cilt.uct.ac.za
stephen.marquard at uct.ac.za<mailto:stephen.marquard at uct.ac.za>
Phone: +27-21-650-5037<tel:%2B27-21-650-5037> Cell: +27-83-500-5290<tel:%2B27-83-500-5290>

From: sakai-dev-bounces at collab.sakaiproject.org<mailto:sakai-dev-bounces at collab.sakaiproject.org> [mailto:sakai-dev-bounces at collab.sakaiproject.org<mailto:sakai-dev-bounces at collab.sakaiproject.org>] On Behalf Of Nguni Phakela
Sent: 17 September 2014 12:09 PM
To: Sakai Developers
Subject: [Building Sakai] Developer Helper Service

Hi,

I am using developer helper service. I am adding users to Sakai and also to a course via courseManagementAdministration.

I am using developerHelperService to become admin, and then I want to 'logout' the admin after by using restoreCurrentUser.

The user sees the login screen, however after successful authentication, they are logged in as admin, not using their account.

Is there a better way to do this, or how do I restore the previous session if there was no one logged in?

Cheers,
--
Nguni Phakela
Cell: 061-131-2053
skype: nguni52
twitter: @nguni52
________________________________
UNIVERSITY OF CAPE TOWN

This e-mail is subject to the UCT ICT policies and e-mail disclaimer published on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111<tel:%2B27%2021%20650%209111>. This e-mail is intended only for the person(s) to whom it is addressed. If the e-mail has reached you in error, please notify the author. If you are not the intended recipient of the e-mail you may not use, disclose, copy, redirect or print the content. If this e-mail is not related to the business of UCT it is sent by the sender in the sender's individual capacity.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140917/9e3ce0ef/attachment.html

More information about the sakai-dev mailing list