Permalink
Browse files

[bugfix] Security assertions were in the wrong places! User can now c…

…hange own password
  • Loading branch information...
1 parent 7f9ccfa commit 66446dcbce3e2689b76fd429e4085a4f1cf2472b @adamretter adamretter committed Sep 5, 2013
Showing with 8 additions and 10 deletions.
  1. +8 −10 src/org/exist/xquery/functions/securitymanager/AccountManagementFunction.java
@@ -105,17 +105,16 @@ public Sequence eval(final Sequence[] args, final Sequence contextSequence) thro
final DBBroker broker = getContext().getBroker();
final Subject currentUser = broker.getSubject();
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
-
- if(!currentUser.hasDbaRole()) {
- throw new XPathException("You must be a DBA to create a User Account.");
- }
final String username = args[0].getStringValue();
try {
if(isCalledAs(qnRemoveAccount.getLocalName())) {
/* remove account */
-
+ if(!currentUser.hasDbaRole()) {
+ throw new XPathException("Only a DBA user may remove accounts.");
+ }
+
if(!securityManager.hasAccount(username)) {
throw new XPathException("The user account with username " + username + " does not exist.");
}
@@ -124,10 +123,6 @@ public Sequence eval(final Sequence[] args, final Sequence contextSequence) thro
throw new XPathException("You cannot remove yourself i.e. the currently logged in user.");
}
- if(!currentUser.hasDbaRole()) {
- throw new XPathException("Only a DBA user may remove accounts.");
- }
-
securityManager.deleteAccount(username);
} else {
@@ -147,7 +142,10 @@ public Sequence eval(final Sequence[] args, final Sequence contextSequence) thro
} else if(isCalledAs(qnCreateAccount.getLocalName())) {
/* create account */
-
+ if(!currentUser.hasDbaRole()) {
+ throw new XPathException("You must be a DBA to create a User Account.");
+ }
+
if(securityManager.hasAccount(username)) {
throw new XPathException("The user account with username " + username + " already exists.");
}

0 comments on commit 66446dc

Please sign in to comment.