Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10860

refactor checks for superUser to make it easier to analyse where it is required

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • delegation
    • Rank:
      1|hzt2wv:
    • 0
    • No
    • None

    Description

      OpenAM has several different routines internally for checking whether a user is the super user (by default amadmin) or literally amadmin. This makes it difficult to determine all of the configuration items that only the super user or amadmin can perform.

      Instead, it may be better to avoid using methods like isSuperUser() and instead calling a common method which checks whether the current user is a super user AND has permission to perform the task at hand (even though the super user can perform all tasks). This has the side effect of forcing developers to register a permission that a super user requires, making it easier to determine where it is used.

      For example, instead of using isSuperUser(username), use someClass. canSuperUser("access debug.jsp").

      A major customer recently requested all of the differences between an amadmin account and a fully privileged account. This took several days to work out. Refactoring the code in this way will ensure that this could be answered more quickly in future and make it easier to document.

      Attachments

        Activity

          People

            Unassigned Unassigned
            simon.harding Simon Harding
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: