From c110010dddf647925707a8dcd19c86e1f5254878 Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Sat, 14 Feb 2015 22:13:45 +0000 Subject: [PATCH] - Fix JCR security model initialisation order - Only admins can see the admin role git-svn-id: https://svn.argeo.org/commons/trunk@7883 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc --- .../cms/internal/useradmin/SimpleJcrSecurityModel.java | 9 +++++---- .../useradmin/jackrabbit/JackrabbitUserAdminService.java | 8 ++++++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java index 7c4685304..9d26f1335 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java @@ -51,14 +51,15 @@ public class SimpleJcrSecurityModel implements JcrSecurityModel { @Override public void init(Session adminSession) throws RepositoryException { JcrUtils.mkdirs(adminSession, homeBasePath); - JcrUtils.mkdirs(adminSession, peopleBasePath); + adminSession.save(); + + JcrUtils.addPrivilege(adminSession, homeBasePath, + UserAccessControlProvider.USER_ADMIN_GROUP_NAME, + Privilege.JCR_READ); JcrUtils.addPrivilege(adminSession, peopleBasePath, UserAccessControlProvider.USER_ADMIN_GROUP_NAME, Privilege.JCR_ALL); - // JcrUtils.addPrivilege(adminSession, "/", - // UserAccessControlProvider.USER_ADMIN_GROUP_NAME, - // Privilege.JCR_READ); } public synchronized Node sync(Session session, String username, diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java index d35f996f4..6b73a3e19 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java @@ -28,6 +28,7 @@ import org.argeo.cms.internal.auth.JcrSecurityModel; import org.argeo.jcr.JcrUtils; import org.argeo.jcr.UserJcrUtils; import org.argeo.security.NodeAuthenticationToken; +import org.argeo.security.SecurityUtils; import org.argeo.security.UserAdminService; import org.argeo.security.jcr.JcrUserDetails; import org.argeo.security.jcr.NewUserDetails; @@ -63,7 +64,6 @@ public class JackrabbitUserAdminService implements UserAdminService, .getAuthentication(); authentication.getName(); adminSession = (JackrabbitSession) repository.login(); - securityModel.init(adminSession); Authorizable adminGroup = getUserManager().getAuthorizable( KernelHeader.ROLE_ADMIN); if (adminGroup == null) { @@ -79,6 +79,7 @@ public class JackrabbitUserAdminService implements UserAdminService, securityModel.sync(adminSession, KernelHeader.USERNAME_ADMIN, null); adminSession.save(); } + securityModel.init(adminSession); } public void destroy() throws RepositoryException { @@ -282,7 +283,10 @@ public class JackrabbitUserAdminService implements UserAdminService, Group group = (Group) groups.next(); String groupName = group.getPrincipal().getName(); String role = groupNameToRole(groupName); - if (role != null && !role.equals(KernelHeader.ROLE_GROUP_ADMIN)) + if (role != null + && !role.equals(KernelHeader.ROLE_GROUP_ADMIN) + && !(role.equals(KernelHeader.ROLE_ADMIN) && !SecurityUtils + .hasCurrentThreadAuthority(KernelHeader.ROLE_ADMIN))) res.add(role); } return res; -- 2.30.2