portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Orciuch" <mark_orci...@ngsltd.com>
Subject RE: Possible security bug with portlet default security.
Date Thu, 03 Apr 2003 20:04:59 GMT
Scott,

> When adding a portlet through the customizer, it's security ref
> is set to the " services.PortalToolkit.default.user.security.ref"
> value in JS.props.
>
> Is this correct?
>
> I can see this for portlet sets but not for individual portlets
> that may have tighter restriction set at the registry level.  I
> vote that this logic be removed as it can give a user more access
> then what was intended.
>

I see your point. The default user security ref is 'owner-only' so if
registry-level security for a portlet is more restrictive, 'owner-only'
would override it. I still think that default security ref is a useful
feature. My vote would be to not set default security ref if registry-level
constraint exists. Can you open a Bugzilla issue for this so we can track
this change?

Best regards,

Mark Orciuch - morciuch@apache.org
Jakarta Jetspeed - Enterprise Portal in Java
http://jakarta.apache.org/jetspeed/


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message