Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-4099

Daemon user cannot save a user

    XMLWordPrintable

    Details

      Description

      It is not possible to save a user from a daemon thread because the logic in UserServiceImpl.checkPrivileges wrongly checks if the authenticated user has all the privileges that the other user being saved has.

      Dues to this, Daemon can update a system developer's account and no other user unless the user has no privilege at all in the system.

      The code needs to be change not to call authenticatedUser.hasPrivilege(privilege) but rather Context.hasPrivilege(privilege) since it checks if the user is either superuser or the code is being executed from a Daemon Thread which would pass for Daemon thread too.

      Another strange behavior according to the current code is any user can update a system developer account but if they have save and edit usr privileges even if they are not super user themselves. I think to update a system developer account you need to be a system developer too.

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              raff Rafal Korytkowski
              Reporter:
              wyclif Wyclif Luyima
              Designated Committer:
              Rafal Korytkowski Rafal Korytkowski
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 hours
                  3h
                  Remaining:
                  Remaining Estimate - 3 hours
                  3h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified