Menu
▾
▴
[Hyperic-hq-discuss] hq r14365 - trunk/src/org/hyperic/hq/authz/server/session
|
From: <dcr...@hy...> - 2010-03-09 22:51:10
|
Author: dcrutchf Date: 2010-03-09 14:51:01 -0800 (Tue, 09 Mar 2010) New Revision: 14365 URL: http://svn.hyperic.org/?view=rev&root=Hyperic+HQ&revision=14365 Modified: trunk/src/org/hyperic/hq/authz/server/session/AuthzSubjectManagerEJBImpl.java Log: [HHQ-3780] - Security, auth and permisions holes with users in view only role (including guest) Modified: trunk/src/org/hyperic/hq/authz/server/session/AuthzSubjectManagerEJBImpl.java =================================================================== --- trunk/src/org/hyperic/hq/authz/server/session/AuthzSubjectManagerEJBImpl.java 2010-03-09 22:12:41 UTC (rev 14364) +++ trunk/src/org/hyperic/hq/authz/server/session/AuthzSubjectManagerEJBImpl.java 2010-03-09 22:51:01 UTC (rev 14365) @@ -124,12 +124,8 @@ String phone, String sms, Boolean useHtml) throws PermissionException { - PermissionManager pm = PermissionManagerFactory.getInstance(); - if(!whoami.getId().equals(target.getId())) { - pm.check(whoami.getId(), getRootResourceType().getId(), - AuthzConstants.rootResourceId, - AuthzConstants.perm_viewSubject); + checkModifyUsers(whoami); } if (active != null && target.getActive() != active.booleanValue()) { @@ -206,6 +202,20 @@ AuthzConstants.subjectOpModifySubject); } + /** + * Check if a subject can modify users + * @ejb:interface-method + */ + public void checkCreateUsers(AuthzSubject caller) + throws PermissionException + { + PermissionManager pm = PermissionManagerFactory.getInstance(); + pm.check(caller.getId(), + getRootResourceType(), + AuthzConstants.rootResourceId, + AuthzConstants.subjectOpCreateSubject); + } + /** * Delete the specified subject. * |
