Details

    • Complexity:
      Low

      Description

      It is not possible to save a user from a daemon thread because the logic in UserServiceImpl.checkPrivileges wrongly checks if the authenticated user has all the privileges that the other user being saved has.

      Dues to this, Daemon can update a system developer's account and no other user unless the user has no privilege at all in the system.

      The code needs to be change not to call authenticatedUser.hasPrivilege(privilege) but rather Context.hasPrivilege(privilege) since it checks if the user is either superuser or the code is being executed from a Daemon Thread which would pass for Daemon thread too.

      Another strange behavior according to the current code is any user can update a system developer account but if they have save and edit usr privileges even if they are not super user themselves. I think to update a system developer account you need to be a system developer too.

        Attachments

          Activity

            People

            • Assignee:
              raff Rafal Korytkowski
              Reporter:
              wyclif Wyclif Luyima
              Designated Committer:
              Rafal Korytkowski
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 hours
                3h
                Remaining:
                Remaining Estimate - 3 hours
                3h
                Logged:
                Time Spent - Not Specified
                Not Specified