- Fix JCR security model initialisation order

author Mathieu Baudier <mbaudier@argeo.org>

Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)

committer Mathieu Baudier <mbaudier@argeo.org>

Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)
author Mathieu Baudier <mbaudier@argeo.org>
Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)
committer Mathieu Baudier <mbaudier@argeo.org>
Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java

index 7c4685304b0d16bd67909b74f4616e153f5fa145..9d26f13352ffbccbfb5ed9a6f237f0be2a707b91 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java
@@ -51,14 +51,15 @@ public class SimpleJcrSecurityModel implements JcrSecurityModel {
         @Override
         public void init(Session adminSession) throws RepositoryException {
                 JcrUtils.mkdirs(adminSession, homeBasePath);
-
                 JcrUtils.mkdirs(adminSession, peopleBasePath);
+               adminSession.save();
+
+               JcrUtils.addPrivilege(adminSession, homeBasePath,
+                               UserAccessControlProvider.USER_ADMIN_GROUP_NAME,
+                               Privilege.JCR_READ);
                 JcrUtils.addPrivilege(adminSession, peopleBasePath,
                                 UserAccessControlProvider.USER_ADMIN_GROUP_NAME,
                                 Privilege.JCR_ALL);
-               // JcrUtils.addPrivilege(adminSession, "/",
-               // UserAccessControlProvider.USER_ADMIN_GROUP_NAME,
-               // Privilege.JCR_READ);
         }
  
         public synchronized Node sync(Session session, String username,
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java

index d35f996f49e7e78b074119748fa5ed70d2545f8e..6b73a3e19af4e182fda24d06aeac4d9b56927a81 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java
@@ -28,6 +28,7 @@ import org.argeo.cms.internal.auth.JcrSecurityModel;
  import org.argeo.jcr.JcrUtils;
  import org.argeo.jcr.UserJcrUtils;
  import org.argeo.security.NodeAuthenticationToken;
+import org.argeo.security.SecurityUtils;
  import org.argeo.security.UserAdminService;
  import org.argeo.security.jcr.JcrUserDetails;
  import org.argeo.security.jcr.NewUserDetails;
@@ -63,7 +64,6 @@ public class JackrabbitUserAdminService implements UserAdminService,
                                 .getAuthentication();
                 authentication.getName();
                 adminSession = (JackrabbitSession) repository.login();
-               securityModel.init(adminSession);
                 Authorizable adminGroup = getUserManager().getAuthorizable(
                                 KernelHeader.ROLE_ADMIN);
                 if (adminGroup == null) {
@@ -79,6 +79,7 @@ public class JackrabbitUserAdminService implements UserAdminService,
                         securityModel.sync(adminSession, KernelHeader.USERNAME_ADMIN, null);
                         adminSession.save();
                 }
+               securityModel.init(adminSession);
         }
  
         public void destroy() throws RepositoryException {
@@ -282,7 +283,10 @@ public class JackrabbitUserAdminService implements UserAdminService,
                                 Group group = (Group) groups.next();
                                 String groupName = group.getPrincipal().getName();
                                 String role = groupNameToRole(groupName);
-                               if (role != null && !role.equals(KernelHeader.ROLE_GROUP_ADMIN))
+                               if (role != null
+                                               && !role.equals(KernelHeader.ROLE_GROUP_ADMIN)
+                                               && !(role.equals(KernelHeader.ROLE_ADMIN) && !SecurityUtils
+                                                               .hasCurrentThreadAuthority(KernelHeader.ROLE_ADMIN)))
                                         res.add(role);
                         }
                         return res;
author	Mathieu Baudier <mbaudier@argeo.org>
	Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)
committer	Mathieu Baudier <mbaudier@argeo.org>
	Sat, 14 Feb 2015 22:13:45 +0000 (22:13 +0000)
org.argeo.cms/src/org/argeo/cms/internal/useradmin/SimpleJcrSecurityModel.java		patch \| blob \| history
org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java		patch \| blob \| history