[Using Sakai] [Building Sakai] user login reverts to admin user

David Horwitz david.horwitz at uct.ac.za
Mon Aug 20 06:52:20 PDT 2012 

FYI The security advisor:

https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html


To set the advisor:


//we need a security advisor
             SecurityAdvisor secAdvice = new SecurityAdvisor() {
                 public SecurityAdvice isAllowed(String userId, String 
function, String reference) {
                     log.debug("isAllowed( " + userId + ", " + function 
+ ", " + reference);
                     if 
(UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
                         return SecurityAdvice.ALLOWED;
                     } else if 
(AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
                         return SecurityAdvice.ALLOWED;
                     } else if 
(UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
                         log.debug("advising user can delete users");
                         return SecurityAdvice.ALLOWED;
                     } else {
                         return SecurityAdvice.NOT_ALLOWED;
                     }
                 }
             };
             securityService.pushAdvisor(secAdvice);


and to clear it:

SecurityAdvisor sa = securityService.popAdvisor();



D

On 08/20/2012 03:40 PM, David Wafula wrote:
> That should explain it...we did some session calls somewhere...in the 
> code. Will correct it.
>
> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz 
> <david.horwitz at uct.ac.za <mailto:david.horwitz at uct.ac.za>> wrote:
>
>     This sounds like somewhere something is setting the current
>     session user to admin. I would look at any code you run in the
>     login for something like:
>
>      Session sakaiSession = sessionManager.getCurrentSession();
>      sakaiSession.setUserId("admin");
>      sakaiSession.setUserEid("admin");
>
>     Code like this should not be called in any user thread,
>     SecurityAdvisors are a better bet ....
>
>     D
>
>
>
>     On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>
>>     Hi All
>>
>>     We’ve been experiencing a no. of random though isolated
>>     incidences of users unsuccessfully logging into Sakai( with their
>>     correct details ) but with their browser window immediately
>>      returning a screen which shows SAKAI admin user rights i.e they
>>     somehow manage to log into SAKAI as an admin! Obviously this
>>     poses a huge security breach for  us. Has anyone else ever
>>     experienced this?
>>
>>     This communication is intended for the addressee only. It is
>>     confidential. If you have received this communication in error,
>>     please notify us immediately and destroy the original message.
>>     You may not copy or disseminate this communication without the
>>     permission of the University. Only authorized signatories are
>>     competent to enter into agreements on behalf of the University
>>     and recipients are thus advised that the content of this message
>>     may not be legally binding on the University and may contain the
>>     personal views and opinions of the author, which are not
>>     necessarily the views and opinions of The University of the
>>     Witwatersrand, Johannesburg. All agreements between the
>>     University and outsiders are subject to South African Law unless
>>     the University agrees in writing to the contrary.
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     sakai-user mailing list
>>     sakai-user at collab.sakaiproject.org  <mailto:sakai-user at collab.sakaiproject.org>
>>     http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>
>>     TO UNSUBSCRIBE: send email tosakai-user-unsubscribe at collab.sakaiproject.org  <mailto:sakai-user-unsubscribe at collab.sakaiproject.org>  with a subject of "unsubscribe"
>
>
>     _______________________________________________
>     sakai-dev mailing list
>     sakai-dev at collab.sakaiproject.org
>     <mailto:sakai-dev at collab.sakaiproject.org>
>     http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
>     TO UNSUBSCRIBE: send email to
>     sakai-dev-unsubscribe at collab.sakaiproject.org
>     <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a
>     subject of "unsubscribe"
>
>
>
>
> -- 
> David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120820/123d1707/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15902 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120820/123d1707/attachment-0001.png

More information about the sakai-user mailing list