portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Assigned: (JS1-421) [FIX] Administrative functions not secured
Date Fri, 02 Apr 2004 17:54:44 GMT
Message:

   The following issue has been re-assigned.

   Assignee: Mark Orciuch (mailto:morciuch@apache.org)
---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS1-421

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS1-421
    Summary: [FIX] Administrative functions not secured
       Type: Bug

     Status: Open

    Project: Jetspeed
 Components: 
             Security
   Fix Fors:
             1.5
   Versions:
             1.4b5-dev / CVS

   Assignee: Mark Orciuch
   Reporter: Olaf Romanski

    Created: Mon, 24 Nov 2003 12:16 PM
    Updated: Fri, 2 Apr 2004 9:52 AM
Environment: Operating System: Windows NT/2K
Platform: PC

Description:
Here is what I do (using nightly build from 09.09.2003):
1. Create a new user (initially has USER role only)
2. Log on to Jetspeed with that user's name
3. Enter one of the following URL's into my browser:

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
et_to_be_deleted

and

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
nserted_permission_name

Result is:
Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet 
registry and added new permission 'inserted_permission_name'
Should be:
Some message about unauthorized access attempt should be displayed, or at least 
protected resources should not be modified.


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message