Skip to content

Commit

Permalink
Remove ROLE_COURSE_ADMIN
Browse files Browse the repository at this point in the history
Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint
to create new users not including the role ROLE_ADMIN. For example:

```sh
% curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201

% curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201
```

`ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is
referenced neither in the documentation nor in any code (except for
tests) but only in the security configuration. From the name – implying
an admin for a specific course – users would never expect that this role
allows user creation.

This patch fixes the problem by dropping the default access rules for
`ROLE_COURSE_ADMIN`. Users which use and need this custom role can
easily configure this specific to their needs. There is no reason to
ship this by default.
  • Loading branch information
lkiesow committed Jan 29, 2020
1 parent b157e1f commit 72fad00
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions etc/security/mh_default_org.xml
Original file line number Diff line number Diff line change
Expand Up @@ -297,11 +297,11 @@
<sec:intercept-url pattern="/transcripts/watson/results*" method="POST" access="ROLE_ANONYMOUS" />

<!-- Everything else is for the admin users -->
<sec:intercept-url pattern="/admin-ng" method="GET" access="ROLE_ADMIN, ROLE_ADMIN_UI, ROLE_COURSE_ADMIN" />
<sec:intercept-url pattern="/admin-ng/" method="GET" access="ROLE_ADMIN, ROLE_ADMIN_UI, ROLE_COURSE_ADMIN" />
<sec:intercept-url pattern="/admin-ng/index.html" access="ROLE_ADMIN, ROLE_ADMIN_UI, ROLE_COURSE_ADMIN" />
<sec:intercept-url pattern="/index.html" access="ROLE_ADMIN, ROLE_ADMIN_UI, ROLE_COURSE_ADMIN" />
<sec:intercept-url pattern="/**" access="ROLE_ADMIN, ROLE_COURSE_ADMIN" />
<sec:intercept-url pattern="/admin-ng" method="GET" access="ROLE_ADMIN, ROLE_ADMIN_UI" />
<sec:intercept-url pattern="/admin-ng/" method="GET" access="ROLE_ADMIN, ROLE_ADMIN_UI" />
<sec:intercept-url pattern="/admin-ng/index.html" access="ROLE_ADMIN, ROLE_ADMIN_UI" />
<sec:intercept-url pattern="/index.html" access="ROLE_ADMIN, ROLE_ADMIN_UI" />
<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />

<!-- ############################# -->
<!-- # LOGIN / LOGOUT MECHANISMS # -->
Expand Down

0 comments on commit 72fad00

Please sign in to comment.