AppFuse › AppFuse - Issues

[JIRA] Created: (APF-1162) dynamic menu rendering by allowing users to add / remove user roles

2 messages Options
Embed this post
Permalink
AppFuse - Issues mailing list

[JIRA] Created: (APF-1162) dynamic menu rendering by allowing users to add / remove user roles

Reply Threaded More More options
Print post
Permalink
dynamic menu rendering by allowing users to add / remove user roles
-------------------------------------------------------------------

                 Key: APF-1162
                 URL: http://issues.appfuse.org/browse/APF-1162
             Project: AppFuse
          Issue Type: New Feature
          Components: Security
    Affects Versions: 2.0.2
         Environment: struts2
            Reporter: Marek
            Assignee: Matt Raible
            Priority: Minor


I have implemented dynamic menu rendering, based on user roles, that the user can assign himself. Here are the necessary changes:

DB: add column 'role' of type varchar (3) to table 'role'
set sort column for roles USER_ROLE and ADMIN_ROLE to "sys" to indicate these roles are system roles and may not be added / removed by the user
add role ROLE_SOMETHING, "User definable role", "usr" <-- To indicate this role may be added / removed by the user

Role.java:

Change constructor to:

  public Role(final String name, String sort) {
    this.name = name;
    this.sort = sort;
  }

ADD:

  //  @Column(length = 3)
  public String getSort() {
    return this.sort;
  }

  public void setSort(String string) {
    sort = string;

UserSecurityAdvice:

Change to:

          // get the list of roles the user wants to have
          Set<Role> currentRoles = new HashSet<Role>();
          for (GrantedAuthority role : roles) {
            currentRoles.add((Role) role);
          }

          Boolean modifySystemRole = false;

          // determine the list of roles the user has
          if (user.getRoles() != null) {

            // check the list of roles the user wants to remove
            for (Object o : user.getRoles()) {
              Role role = (Role) o;
              // check if the user tries to add a system role - this is forbidden
              if (role.getSort().equalsIgnoreCase("sys") && !currentRoles.contains(role)) {
                modifySystemRole = true;
              }
            }

            // check the list of roles the user wants to remove
            for (Object o : currentRoles) {
              Role role = (Role) o;
              // check if the user tries to remove a system role - this is forbidden
              if (role.getSort().equalsIgnoreCase("sys") && !user.getRoles().contains(role)) {
                modifySystemRole = true;
              }
            }
          }

          // regular users aren't allowed to change system roles
          if (modifySystemRole) {
            log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to change system role(s)!");
            throw new AccessDeniedException(ACCESS_DENIED);
          }

UserSecurityAdviceTest.java:

Change all
user.addRole(new Role(Constants.ADMIN_ROLE)); TO user.addRole(new Role(Constants.ADMIN_ROLE,"sys"));
user.addRole(new Role(Constants.USER_ROLE)); TO user.addRole(new Role(Constants.USER_ROLE,"usr"));

Other test and java classes: same change as the one directly above.

Implementation: implement for instance a checkbox and add / remove ROLE_SOMETHING according to chekbox setting.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.appfuse.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

AppFuse - Issues mailing list

[JIRA] Commented: (APF-1162) dynamic menu rendering by allowing users to add / remove user roles

Reply Threaded More More options
Print post
Permalink

    [ http://issues.appfuse.org/browse/APF-1162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12691 ]

Matt Raible commented on APF-1162:
----------------------------------

Do you have a use case that requires allowing users to assign themselves roles?

The reason I ask is this typically seems like something an administrator would do.

> dynamic menu rendering by allowing users to add / remove user roles
> -------------------------------------------------------------------
>
>                 Key: APF-1162
>                 URL: http://issues.appfuse.org/browse/APF-1162
>             Project: AppFuse
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: 2.0.2
>         Environment: struts2
>            Reporter: Marek
>            Assignee: Matt Raible
>            Priority: Minor
>
> I have implemented dynamic menu rendering, based on user roles, that the user can assign himself. Here are the necessary changes:
> DB: add column 'role' of type varchar (3) to table 'role'
> set sort column for roles USER_ROLE and ADMIN_ROLE to "sys" to indicate these roles are system roles and may not be added / removed by the user
> add role ROLE_SOMETHING, "User definable role", "usr" <-- To indicate this role may be added / removed by the user
> Role.java:
> Change constructor to:
>   public Role(final String name, String sort) {
>     this.name = name;
>     this.sort = sort;
>   }
> ADD:
>   //  @Column(length = 3)
>   public String getSort() {
>     return this.sort;
>   }
>   public void setSort(String string) {
>     sort = string;
> UserSecurityAdvice:
> Change to:
>           // get the list of roles the user wants to have
>           Set<Role> currentRoles = new HashSet<Role>();
>           for (GrantedAuthority role : roles) {
>             currentRoles.add((Role) role);
>           }
>           Boolean modifySystemRole = false;
>           // determine the list of roles the user has
>           if (user.getRoles() != null) {
>             // check the list of roles the user wants to remove
>             for (Object o : user.getRoles()) {
>               Role role = (Role) o;
>               // check if the user tries to add a system role - this is forbidden
>               if (role.getSort().equalsIgnoreCase("sys") && !currentRoles.contains(role)) {
>                 modifySystemRole = true;
>               }
>             }
>             // check the list of roles the user wants to remove
>             for (Object o : currentRoles) {
>               Role role = (Role) o;
>               // check if the user tries to remove a system role - this is forbidden
>               if (role.getSort().equalsIgnoreCase("sys") && !user.getRoles().contains(role)) {
>                 modifySystemRole = true;
>               }
>             }
>           }
>           // regular users aren't allowed to change system roles
>           if (modifySystemRole) {
>             log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to change system role(s)!");
>             throw new AccessDeniedException(ACCESS_DENIED);
>           }
> UserSecurityAdviceTest.java:
> Change all
> user.addRole(new Role(Constants.ADMIN_ROLE)); TO user.addRole(new Role(Constants.ADMIN_ROLE,"sys"));
> user.addRole(new Role(Constants.USER_ROLE)); TO user.addRole(new Role(Constants.USER_ROLE,"usr"));
> Other test and java classes: same change as the one directly above.
> Implementation: implement for instance a checkbox and add / remove ROLE_SOMETHING according to chekbox setting.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.appfuse.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Free Embeddable Forum Powered by Nabble Help