Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
14.5.0
-
None
-
Flagged
-
Pulsar
-
Pulsar 260 - BEST, Pulsar 261 - BEST+
Description
In a use case where far most users are external users (from LDAP integration), the admins are also external users.
Problem
When logged in as external admin, trying to access internal users in the admin panels leads to javax.jcr.AccessDeniedException "Not allowed to use the ChangePasswordManager for system or external users". This stems from REPO-2260 in 14.0.
This prohibits:
- External (LDAP-based) admins to view and manage internal users (there are some "emergency" internal user needed)
- External (LDAP-based) developers to create internal users for development purposes
(e.g. on staging environment) if devs can't add users to LDAP. - External (LDAP-based) pentesters, security testers, to properly test/review the admin section
So, while denying password change on external users is good (hence the AccesDeniedException), the admin panels do not recognize above use cases.
Possible fix
In org.hippoecm.frontend.plugins.cms.admin.users.User#init, before using getChangePasswordManager(), check if the current user is the instantiated User object
if (!external) { // change final String currentUserId = UserSession.get().getJcrSession().getUserID(); // change if (currentUserId.equals(username)) { passwordMaxAge = SecurityManagerHelper.getChangePasswordManager().getPasswordMaxAgeMs(); // change } }
Attachments
Issue Links
- relates to
-
REPO-2260 Introducing a new ChangePasswordManager provided through the RepositorySecurityManager
-
- Closed
-