portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From morci...@apache.org
Subject cvs commit: jakarta-jetspeed/xdocs changes.xml
Date Wed, 15 Jan 2003 18:01:29 GMT
morciuch    2003/01/15 10:01:29

  Modified:    docs/site changes.html
               src/java/org/apache/jetspeed/modules/actions/controls
                        Customize.java
               webapp/WEB-INF/conf security.xreg
               webapp/WEB-INF/psml/user/anon/html default.psml
               webapp/WEB-INF/psml/user/anon/html/en default.psml news.psml
               webapp/WEB-INF/psml/user/anon/html/es default.psml news.psml
               webapp/WEB-INF/psml/user/anon/wml default.psml
               webapp/WEB-INF/psml/user/anon/wml/en default.psml
               webapp/WEB-INF/psml/user/anon/xml default.psml
               xdocs    changes.xml
  Log:
  Added checks to prevent unauthorized customize access to properly protected psml resources
(see Bugzilla bug# 15968). "Properly protected" means having a security constraint for the
psml AND each pane it contains.
  
  Also, protected anonymous psml from unauthorized customization via newly added "anon-view_admin-all"
constraint.
  
  Revision  Changes    Path
  1.95      +3 -0      jakarta-jetspeed/docs/site/changes.html
  
  Index: changes.html
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/docs/site/changes.html,v
  retrieving revision 1.94
  retrieving revision 1.95
  diff -u -r1.94 -r1.95
  --- changes.html	14 Jan 2003 19:54:41 -0000	1.94
  +++ changes.html	15 Jan 2003 18:01:28 -0000	1.95
  @@ -133,6 +133,9 @@
   </li>
   -->
   <li>
  +  Fixed - Bug # 15968 - 2003/01/15 - Added check to prevent unauthorized customize access
to properly protected psml (MO)
  +</li>
  +<li>
     Fixed - Bug # 15972 - 2003/01/13 - Role merge feature fails to properly sequence the
resulting panes (MO)
   </li>
   <li>
  
  
  
  1.15      +24 -0     jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actions/controls/Customize.java
  
  Index: Customize.java
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actions/controls/Customize.java,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- Customize.java	8 Nov 2002 23:13:44 -0000	1.14
  +++ Customize.java	15 Jan 2003 18:01:28 -0000	1.15
  @@ -70,6 +70,9 @@
   import org.apache.jetspeed.services.statemanager.SessionState;
   import org.apache.jetspeed.util.template.JetspeedLink;
   import org.apache.jetspeed.util.template.JetspeedLinkFactory;
  +import org.apache.jetspeed.services.security.PortalResource;
  +import org.apache.jetspeed.services.JetspeedSecurity;
  +import org.apache.jetspeed.om.security.JetspeedUser;
   
   import java.util.Enumeration;
   import java.util.Stack;
  @@ -194,6 +197,27 @@
   
           if (found!=null)
           {
  +            PortalResource portalResource = new PortalResource(found);
  +            try
  +            {
  +                JetspeedLink jsLink = JetspeedLinkFactory.getInstance(rundata);
  +                portalResource.setOwner(jsLink.getUserName());
  +                JetspeedLinkFactory.putInstance(jsLink);
  +            }
  +            catch (Exception e)
  +            {
  +                Log.warn(e.toString());
  +                portalResource.setOwner(null);
  +            }
  +
  +            if(!JetspeedSecurity.checkPermission((JetspeedUser) jdata.getUser(), 
  +                                                 portalResource, 
  +                                                 JetspeedSecurity.PERMISSION_CUSTOMIZE))
  +            {
  +                Log.warn("User " + jdata.getUser().getUserName() + " has no customize permission
for portlet with id " + peid);
  +                jdata.setMessage("Sorry, you have no customize permission for this portlet");
  +                return;
  +            }
               jdata.setCustomized(found);
               jdata.setScreenTemplate("Customize");
           }
  
  
  
  1.5       +12 -0     jakarta-jetspeed/webapp/WEB-INF/conf/security.xreg
  
  Index: security.xreg
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/conf/security.xreg,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- security.xreg	25 Aug 2002 20:14:59 -0000	1.4
  +++ security.xreg	15 Jan 2003 18:01:28 -0000	1.5
  @@ -51,4 +51,16 @@
               <allow-if role="user"/>
           </access>
       </security-entry>
  +     <security-entry name="anon-view_admin-all">
  +         <meta-info>
  +             <title>Anon+V and Admin+C</title>
  +             <description>Anonymous can view and Admin have full access.</description>
  +         </meta-info>
  +         <access action="*">
  +             <allow-if role="admin"/>
  +         </access>
  +         <access action="view">
  +             <allow-if user="anon"/>
  +         </access>
  +     </security-entry>    
   </registry>
  
  
  
  1.7       +6 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/default.psml,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- default.psml	20 Nov 2002 00:18:54 -0000	1.6
  +++ default.psml	15 Jan 2003 18:01:28 -0000	1.7
  @@ -1,5 +1,8 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml">
  +
  +    <security-ref parent="anon-view_admin-all"/>
  +
       <metainfo>
         <title>Default Jetspeed Page</title>
       </metainfo>
  @@ -11,6 +14,7 @@
     </controller>
   
     <portlets id="101">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="RowController">
         <parameter name="sizes" value="66%,34%"/>
       </controller>
  @@ -37,6 +41,7 @@
     </portlets>
   
     <portlets id="107">
  +    <security-ref parent="anon-view_admin-all"/>  
       <metainfo>
         <title>RSS</title>
       </metainfo>
  @@ -80,6 +85,7 @@
     </portlets>
   
     <portlets id="114">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="TwoColumns"/>
   
       <metainfo>
  
  
  
  1.8       +4 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/default.psml,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- default.psml	20 Nov 2002 00:18:54 -0000	1.7
  +++ default.psml	15 Jan 2003 18:01:28 -0000	1.8
  @@ -1,5 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml">
  +    <security-ref parent="anon-view_admin-all"/>
       <metainfo>
         <title>Default Jetspeed Page</title>
       </metainfo>
  @@ -11,6 +12,7 @@
     </controller>
   
     <portlets id="101">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="RowController">
         <parameter name="sizes" value="66%,34%"/>
       </controller>
  @@ -31,6 +33,7 @@
     </portlets>
   
     <portlets id="107">
  +    <security-ref parent="anon-view_admin-all"/>  
       <metainfo>
         <title>RSS</title>
       </metainfo>
  @@ -74,6 +77,7 @@
     </portlets>
   
     <portlets id="114">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="TwoColumns"/>
   
       <metainfo>
  
  
  
  1.5       +1 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/news.psml
  
  Index: news.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/news.psml,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- news.psml	20 Nov 2002 00:18:54 -0000	1.4
  +++ news.psml	15 Jan 2003 18:01:28 -0000	1.5
  @@ -1,5 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets id="100" user="default" xmlns="http://xml.apache.org/jetspeed/2000/psml">
  +    <security-ref parent="anon-view_admin-all"/>
       <metainfo>
         <title>News Page</title>
       </metainfo>
  
  
  
  1.5       +4 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/default.psml,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- default.psml	20 Nov 2002 00:18:55 -0000	1.4
  +++ default.psml	15 Jan 2003 18:01:29 -0000	1.5
  @@ -1,5 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml">
  +    <security-ref parent="anon-view_admin-all"/>    
       <metainfo>
         <title>Pagina en español por defecto</title>
       </metainfo>
  @@ -11,6 +12,7 @@
     </controller>
   
     <portlets id="101">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="RowController">
         <parameter name="sizes" value="66%,34%"/>
       </controller>
  @@ -31,6 +33,7 @@
     </portlets>
   
     <portlets id="107">
  +    <security-ref parent="anon-view_admin-all"/>  
       <metainfo>
         <title>RSS</title>
       </metainfo>
  @@ -75,6 +78,7 @@
     </portlets>
   
     <portlets id="115">
  +    <security-ref parent="anon-view_admin-all"/>  
       <controller name="TwoColumns"/>
   
       <metainfo>
  
  
  
  1.5       +1 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/news.psml
  
  Index: news.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/news.psml,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- news.psml	20 Nov 2002 00:18:55 -0000	1.4
  +++ news.psml	15 Jan 2003 18:01:29 -0000	1.5
  @@ -1,5 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets id="100" user="default" xmlns="http://xml.apache.org/jetspeed/2000/psml">
  +    <security-ref parent="anon-view_admin-all"/>
       <metainfo>
         <title>Página de Noticias</title>
       </metainfo>
  
  
  
  1.5       +1 -1      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/default.psml,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- default.psml	23 Jul 2002 01:24:21 -0000	1.4
  +++ default.psml	15 Jan 2003 18:01:29 -0000	1.5
  @@ -1,6 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets xmlns="http://xml.apache.org/jetspeed/2000/psml">
  -
  +  <security-ref parent="anon-view_admin-all"/>
     <controller name="FlowPortletController"/>
   
     <entry parent="StockQuote">
  
  
  
  1.4       +1 -0      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/en/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/en/default.psml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- default.psml	23 Jul 2002 00:03:56 -0000	1.3
  +++ default.psml	15 Jan 2003 18:01:29 -0000	1.4
  @@ -1,5 +1,6 @@
   <?xml version="1.0" encoding="UTF-8"?>
   <portlets xmlns="http://www.apache.org/2000/02/CVS">
  +    <security-ref parent="anon-view_admin-all"/>    
       <controller name="FlowPortletController"/>
       <control name="ClearPortletControl"/>
   
  
  
  
  1.3       +1 -1      jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/xml/default.psml
  
  Index: default.psml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/xml/default.psml,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- default.psml	28 Jun 2002 05:37:38 -0000	1.2
  +++ default.psml	15 Jan 2003 18:01:29 -0000	1.3
  @@ -1,6 +1,6 @@
   <?xml version="1.0" encoding="iso-8859-1"?>
   <portlets xmlns="http://xml.apache.org/jetspeed/2000/psml">
  -
  +  <security-ref parent="anon-view_admin-all"/>
     <control name="ClearPortletControl"/>
     <controller name="ColumnController"/>
   
  
  
  
  1.112     +4 -1      jakarta-jetspeed/xdocs/changes.xml
  
  Index: changes.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-jetspeed/xdocs/changes.xml,v
  retrieving revision 1.111
  retrieving revision 1.112
  diff -u -r1.111 -r1.112
  --- changes.xml	14 Jan 2003 19:54:41 -0000	1.111
  +++ changes.xml	15 Jan 2003 18:01:29 -0000	1.112
  @@ -23,6 +23,9 @@
   </li>
   -->
   <li>
  +  Fixed - Bug # 15968 - 2003/01/15 - Added check to prevent unauthorized customize access
to properly protected psml (MO)
  +</li>
  +<li>
     Fixed - Bug # 15972 - 2003/01/13 - Role merge feature fails to properly sequence the
resulting panes (MO)
   </li>
   <li>
  
  
  

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message