Alon Bar-Lev has posted comments on this change. Change subject: aaa: Remove userId parameter from LogoutUserCommand ......................................................................
Patch Set 1: (1 comment) https://gerrit.ovirt.org/#/c/38403/1/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/LogoutBySessionCommand.java File backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/LogoutBySessionCommand.java: Line 26 Line 27 Line 28 Line 29 Line 30 > 1. RestApiSessionMgmtFilter calls LogoutBySession command with sessionId sp hmmmm.... I suggest to split between various use cases to reduce the chance of breaking security. 1. internal usage - restapi logout - only internal usage. 2. user self logout - based on existing mechanism as session id is already provided, opened for everyone. 3. force logout of admin based on session id (numeric id) - only superuser or other role. maybe in current design of engine it is 3 commands, I am fine with it. -- To view, visit https://gerrit.ovirt.org/38403 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ia33c7dfd908c68ac06b717c0452e3de4564f35a7 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Martin Peřina <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Martin Peřina <[email protected]> Gerrit-Reviewer: Oved Ourfali <[email protected]> Gerrit-Reviewer: Ravi Nori <[email protected]> Gerrit-Reviewer: Yevgeny Zaspitsky <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
