Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-4099

Daemon user cannot save a user

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      It is not possible to save a user from a daemon thread because the logic in UserServiceImpl.checkPrivileges wrongly checks if the authenticated user has all the privileges that the other user being saved has.

      Dues to this, Daemon can update a system developer's account and no other user unless the user has no privilege at all in the system.

      The code needs to be change not to call authenticatedUser.hasPrivilege(privilege) but rather Context.hasPrivilege(privilege) since it checks if the user is either superuser or the code is being executed from a Daemon Thread which would pass for Daemon thread too.

      Another strange behavior according to the current code is any user can update a system developer account but if they have save and edit usr privileges even if they are not super user themselves. I think to update a system developer account you need to be a system developer too.

        Attachments

          Activity

            People

            Assignee:
            raff Rafal Korytkowski
            Reporter:
            wyclif Wyclif Luyima
            Designated Committer:
            Rafal Korytkowski
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 hours
                3h
                Remaining:
                Remaining Estimate - 3 hours
                3h
                Logged:
                Time Spent - Not Specified
                Not Specified