fix(security) always checks CMS_ADMIN role before granting access to …

…resource ref: #27909
dotCMS · Mar 8, 2024 · 19662b1 · 19662b1
1 parent d5b25cb
commit 19662b1
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/dotCMS/src/main/java/com/dotcms/rest/WebResource.java b/dotCMS/src/main/java/com/dotcms/rest/WebResource.java
@@ -364,7 +364,7 @@ public InitDataObject init(final InitBuilder builder) throws SecurityException {
         }
 
 
-        if (builder.requireAdmin || builder.requiredRolesSet.contains(Role.CMS_ADMINISTRATOR_ROLE) && !user.isAdmin()) {
+        if (builder.requiredRolesSet.contains(Role.CMS_ADMINISTRATOR_ROLE) && !user.isAdmin()) {
             throw new SecurityException(
                     String.format("User " + (user != null ? user.getFullName() + ":" + user.getEmailAddress() : user)
                             + " is not a %s", Role.CMS_ADMINISTRATOR_ROLE),
@@ -418,7 +418,7 @@ public InitDataObject init(final InitBuilder builder) throws SecurityException {
      * @param request  {@link HttpServletRequest}
      * @param response {@link HttpServletResponse}
      * @param paramsMap {@link Map}
-     * @param rejectWhenNoUser {@link Boolean}
+     * @param access {@link AnonymousAccess}
      *
      * @return the login user or the login as user if exist any
      */
@@ -778,7 +778,6 @@ public static class InitBuilder {
         private final Set<String> requiredRolesSet = new HashSet<>();
         private AnonymousAccess anonAccess=AnonymousAccess.NONE;
         private boolean requireLicense = false;
-        private boolean requireAdmin = false;
         public InitBuilder() {
           this(new WebResource());
 
@@ -822,7 +821,6 @@ public InitBuilder requiredBackendUser(final boolean requiredBackendUser) {
         }
 
        public InitBuilder requireAdmin(final boolean requireAdmin) {
-           this.requireAdmin = requireAdmin;
            if (requireAdmin) {
                requiredRolesSet.add(Role.CMS_ADMINISTRATOR_ROLE);
            } else {