Skip to content

RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr#1043

Merged
ramackri merged 1 commit into
ranger-2.9from
RANGER-5657-backport-ranger-2.9
Jul 4, 2026
Merged

RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr#1043
ramackri merged 1 commit into
ranger-2.9from
RANGER-5657-backport-ranger-2.9

Conversation

@ramackri

@ramackri ramackri commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport of 0274a6a0 / #1036 to ranger-2.9.

Follow-up fix for RANGER-5627. RANGER-5627 changed SessionMgr.resetUserModulePermission() to grant all UI modules when isUserAdmin() || isKeyAdmin(). That incorrectly gives DB key-admin users the full module list (including Security Zone) via getAllModuleNames().

Fix: use getAllModuleNames() only when userSession.isUserAdmin(). Config super-users are unaffected (they already get full admin through superUserisUserAdmin()).

Fixes RANGER-5657.

Test plan

  • mvn test -pl security-admin -Dtest=TestSessionMgr,TestRangerSuperUserConfig -Drat.skip=true -Dcheckstyle.skip=true -Dpmd.skip=true -Dspotbugs.skip=true
  • Manual: DB key-admin should not see Security Zone in profile; zone GET returns 400
  • Manual: sys admin and config super-users unchanged (all modules, zone GET 200)

Made with Cursor

…onMgr

Backport of 0274a6a (#1036) to ranger-2.9.

Key admin sessions should not receive the full module list via getAllModuleNames();
only sys-admin (user admin) sessions should.
@ramackri ramackri merged commit e62a798 into ranger-2.9 Jul 4, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant