Uploaded image for project: 'Jetspeed (Retired)'
  1. Jetspeed (Retired)
  2. JS1-421

[FIX] Administrative functions not secured

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4b5-dev / CVS
    • 1.5
    • Security
    • None
    • Operating System: Windows NT/2K
      Platform: PC
    • 24939

    Description

      Here is what I do (using nightly build from 09.09.2003):
      1. Create a new user (initially has USER role only)
      2. Log on to Jetspeed with that user's name
      3. Enter one of the following URL's into my browser:

      http://localhost:8080/jetspeed/portal/template/Home/template/Home?
      action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
      et_to_be_deleted

      and

      http://localhost:8080/jetspeed/portal/template/Home/template/Home?
      action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
      nserted_permission_name

      Result is:
      Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet
      registry and added new permission 'inserted_permission_name'
      Should be:
      Some message about unauthorized access attempt should be displayed, or at least
      protected resources should not be modified.

      Attachments

        Activity

          People

            morciuch@apache.org Mark Orciuch
            olaf.romanski@tpg.pl Olaf Romanski
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: