Details
Description
Here is what I do (using nightly build from 09.09.2003):
1. Create a new user (initially has USER role only)
2. Log on to Jetspeed with that user's name
3. Enter one of the following URL's into my browser:
http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
et_to_be_deleted
and
http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
nserted_permission_name
Result is:
Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet
registry and added new permission 'inserted_permission_name'
Should be:
Some message about unauthorized access attempt should be displayed, or at least
protected resources should not be modified.