UME Api - no security checks?
I'm developing a simple app to allow a group of end-users to assign/de-assign a role from a group to control the presentation of portal content. I've written the following code:
IGroup group = UMFactory.getGroupFactory().getMutableGroup( "GRUP.PRIVATE_DATASOURCE.un:Test_Group" ); group.addToRole( "ROLE.UME_ROLE_PERSISTENCE.un:a.test.role" ); group.save();
I created a test user with no privileges, and executed the application (a Web Dynpro application that requires authentication), and much to my surprise, the above code was executed, and the group was assigned the role.
In fact, I removed the requirement for authenticating, and I was STILL able to assign the role to the group just by hitting the application URL.
How can this be? Are there not any security checks in the UME api to prevent non-privileged users from assigning security roles?