portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 14907] - Any non-admin user can add/delete portlets of other users
Date Fri, 10 Jan 2003 18:38:52 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14907>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14907

Any non-admin user can add/delete portlets of other users





------- Additional Comments From mike_mclawhorn_1@hotmail.com  2003-01-10 18:38 -------
Users can customize and even see the data of the customization still, if 
?action=controls.Customize is hit directly. (No portlet set is evaluated)

Ex:

http://localhost:8080/adt2/portal/media-
type/html/user/Deryk_Wilcox/page/default.psml/js_peid/P-f136dd9e98-1000f?
action=controls.Customize 

With security settings:
    <portlet-entry name="Scarab" hidden="false" type="ref"
        parent="CustomizerVelocity" application="false">
        <security-ref parent="owner-only"/>
        <meta-info>
            <title>Scarab</title>
            <description>Scarab Issue Tracking</description>
        </meta-info>
<classname>org.apache.jetspeed.portal.portlets.CustomizerVelocityPortlet</classn
ame>
        <parameter name="template" value="scarab" hidden="false"
            cachedOnName="true" cachedOnValue="true"/>
        <parameter name="action" value="portlets.ScarabAction"
            hidden="false" cachedOnName="true" cachedOnValue="true"/>
        <parameter name="module" value="Test" hidden="false"
            cachedOnName="true" cachedOnValue="true"/>
        <parameter name="assignedTo" value="" hidden="true"
            cachedOnName="true" cachedOnValue="true"/>
        <parameter name="sortBy" value="1" hidden="true"
            cachedOnName="true" cachedOnValue="true"/>
        <media-type ref="html"/>
        <url cachedOnURL="true"/>
    </portlet-entry>

And even (from porlets.xreg) :
    <portlet-entry name="CustomizerVelocity" hidden="false"
        type="abstract" application="false">
        <security-ref parent="owner-only"/>
        
<classname>org.apache.jetspeed.portal.portlets.CustomizerVelocityPortlet</classn
ame>
        <url cachedOnURL="true"/>
        <category group="Jetspeed">velocity</category>
    </portlet-entry>

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message