To recreate the bug using a default AppFuse Struts2 modular app do the following:
1) start the webapp (mvn jetty:run)
2) login as "user/user"
3) edit the user profile, change the Username to "user2"
4) press Save button
See this error:
Yikes!
org.acegisecurity.AccessDeniedException: Access Denied: Only administrators are allowed to modify other users.
at org.appfuse.service.UserSecurityAdvice.before(UserSecurityAdvice.java:63)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy22.saveUser(Unknown Source)
at org.appfuse.webapp.action.UserAction.save(UserAction.java:155)
[SNIP]
Problem: Users should be able to change their username. UserSecurityAdvice checks for users based on username when it should check based on id.
Discovered thanks to
APF-800.