Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-42451

Allow CM services to be used with a SecurityAdvisor

    XMLWordPrintable

    Details

    • Type: Task
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 19.2
    • Fix Version/s: 20.0
    • Component/s: None
    • Labels:
      None
    • Test Plan:
      Hide

      Test using a SecurityAdvisor like this to wrap some code which calls methods in the CM service, e.g. CourseManagementAdministration..createAcademicSession(term, term, term, start, end);

      SecurityAdvisor spmlAdvisor = new SecurityAdvisor() {
        public SecurityAdvice isAllowed(String userId, String function, String reference) {
          // CM updates
          if ("cm.admin".equals(function)) {
            return SecurityAdvice.ALLOWED;
          } else {
            return SecurityAdvice.PASS;
          }
        }
      };
      
      Show
      Test using a SecurityAdvisor like this to wrap some code which calls methods in the CM service, e.g. CourseManagementAdministration..createAcademicSession(term, term, term, start, end); SecurityAdvisor spmlAdvisor = new SecurityAdvisor() { public SecurityAdvice isAllowed( String userId, String function, String reference) { // CM updates if ( "cm.admin" .equals(function)) { return SecurityAdvice.ALLOWED; } else { return SecurityAdvice.PASS; } } };

      Description

      The course-management service only allows updates from admin-equivalent users, checked with SecurityService.isSuperUser()

      This means it's not possible to use a SecurityAdvisor to allow a thread running as a non-admin user to update course management information.

      As using a SecurityAdvisor is sometimes preferable to setting the user session to admin temporarily, this change introduces a pseudo permission and reference that can be allowed in a SecurityAdvisor to enable code to perform CM updates.

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                smarquard Stephen Marquard
                Reporter:
                smarquard Stephen Marquard
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration