It appears that a user with tomcat role
can upgrade himself to admin role.

Scenario with appfuse 1.8[.1]:
-------------------------------

a) log in appfuse as a user with tomcat role

b) click on the 'edit profile' link

c) save on your disk the displayed html page
(editProfile.html)

d) Edit the editProfile.html file:

- update the form tag action attribute:
action="/saveUser.html" becomes
action="http://yourAppfuseWebServer/saveUser.html"

- update input tag for userRoles (field value 'tomcat'
replaced by 'admin'):

<input name="userRoles" value="tomcat" type="hidden">
becomes
<input name="userRoles" value="admin" type="hidden">

e) load with your browser the editProfile.html file
and submit it -> the user profile is updated and role
upgraded

f) logout, reconnect several times with the same
previous user you have admin privileges (admin menu
links appears)

Code in the appfuse struts version:
-----------------------------------

Class UserAction method save:
we have the following code which explains it:

        String[] userRoles =
request.getParameterValues("userRoles");

        for (int i = 0; userRoles != null && i <
userRoles.length; i++) {
            String roleName = userRoles[i];
            user.addRole(roleMgr.getRole(roleName));
        }

So a user with tomcat role by editing the
editProfile.html form can upgrade its role.

-----------------------
Matt reply:

In AppFuse 1.8.1, a similar bug
was fixed:

http://issues.appfuse.org/browse/APF-50

You could probably fix this by adding logic to the UserSecurityAdvice
class that does not allow a user with non-admin role to assign an
admin role.

Can you please enter a bug for this in JIRA?