portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Commented: (JS1-421) [FIX] Administrative functions not secured
Date Thu, 01 Apr 2004 22:28:43 GMT
The following comment has been added to this issue:

     Author: Mark Orciuch
    Created: Thu, 1 Apr 2004 2:27 PM
       Body:
Change implemented and committed. Who's going to close this issue?
---------------------------------------------------------------------
View this comment:
  http://issues.apache.org/jira/browse/JS1-421?page=comments#action_27904

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS1-421

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS1-421
    Summary: [FIX] Administrative functions not secured
       Type: Bug

     Status: Open

    Project: Jetspeed
 Components: 
             Security
   Versions:
             1.4b5-dev / CVS

   Assignee: Jetspeed Developer Mailing List
   Reporter: Olaf Romanski

    Created: Mon, 24 Nov 2003 12:16 PM
    Updated: Thu, 1 Apr 2004 2:27 PM
Environment: Operating System: Windows NT/2K
Platform: PC

Description:
Here is what I do (using nightly build from 09.09.2003):
1. Create a new user (initially has USER role only)
2. Log on to Jetspeed with that user's name
3. Enter one of the following URL's into my browser:

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
et_to_be_deleted

and

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
nserted_permission_name

Result is:
Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet 
registry and added new permission 'inserted_permission_name'
Should be:
Some message about unauthorized access attempt should be displayed, or at least 
protected resources should not be modified.


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message