portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: AbstractPortletControl Bug ???
Date Tue, 16 Oct 2001 15:05:04 GMT
Mark Dimon wrote:

>I found another related problem , with 'entry' being null in
>checkPermisson() in jetspeedDBSecurityService and not caught now that that
>the function is being executed due to the &&. + I got problems after making
>that change .. not sure if related , will do some more checking tommorow
>
Yes. I took the security conscious approach (no entry, no permission). 
Maybe someone can check why entry is null sometimes...

I think the patch you sent was not really needed. The problem is with 
AbstractPortlet.allowXXX(), which is not making the security checks. I'm 
currently testing this. I'll report on this one.

>
>
>Regards Mark.
>
>----- Original Message -----
>From: "Santiago Gala" <sgala@hisitech.com>
>To: <jetspeed-dev@jakarta.apache.org>
>Sent: Tuesday, October 16, 2001 11:22 AM
>Subject: Re: AbstractPortletControl Bug ???
>
>
>>Mark Dimon wrote:
>>
>>>Hi,
>>>
>>>I've noticed that in
>>>
>>>org.apache.jetspeed.portal.controls.AbstractPortletControl
>>>
>>>the methods *like* allowClose()  do the security check with a || rather
>>>
>than
>
>>>an && , if I change this to && then the permissions behave as
>>>expected  and you can now disable the close icon's ect for users with the
>>>admin pane.
>>>
>>>Is this a bug ? or something unfinished ?
>>>
>>It *was* a bug :-)
>>
>>Thanks a lot. I was trying to find just now why this feature was not
>>working. I'll patch this in a few hours.
>>
>>>
>>---------------------------------------------------------------------------
>>
>>>  public boolean allowClose( RunData rundata )
>>>   {
>>>       Portlet p = getPortlet();
>>>
>>>       if (p==null) return false;
>>>
>>>       if ((p instanceof PortletSet)
>>>           /*** this should be && not || ??? ***/  ||
>>>(JetspeedSecurity.checkPermission(rundata,
>>>
>>>JetspeedSecurity.PERMISSION_CLOSE,
>>>                                               p)))
>>>       {
>>>           if (p instanceof PortletState)
>>>           {
>>>               return ((PortletState)p).allowClose(rundata);
>>>           }
>>>       }
>>>
>>>       return false;
>>>   }
>>>
>>---------------------------------------------------------------------------
>>
>-
>
>>>-
>>>
>>>
>>>
>>>Regards Mark
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>




---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message