[gatein-issues] [JBoss JIRA] Resolved: (GTNPORTAL-648) Portlet Permissions : I can view a portlet I shouldn't

[Trong Tran (JIRA)]

     [ https://jira.jboss.org/jira/browse/GTNPORTAL-648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Trong Tran resolved GTNPORTAL-648.
----------------------------------

    Resolution: Done


> Portlet Permissions : I can view a portlet I shouldn't
> ------------------------------------------------------
>
>                 Key: GTNPORTAL-648
>                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-648
>             Project: GateIn Portal
>          Issue Type: Bug
>    Affects Versions: 3.0.0-Beta05-CP01
>            Reporter: Benjamin Paillereau
>            Assignee: Trong Tran
>            Priority: Critical
>             Fix For: 3.0.0-GA
>
>
> Use case :
> - Connect as root
> -- john => make sure, he's only member:/platform/administrators
> -- I put a simple portlet in a page with Access Permission for manager:/platform/administrators (only root)
> - Connect as john
> - then try step 1 then 2
> 1/ submenu error
> -- go to the page with the limited access portlet
> --- I don't see the portlet in the page (normal behaviour)
> -- => error in the admin bar, we don't see sub-menus anymore
> 2/ security error
> -- Go to Site / Edit Navigation / Edit Node's page
> --- john can edit the page with the portlet he should'nt be able to see
> --- john can
> ---- see the portlet view via Switch View mode (security problem with view)
> ---- edit the portelt and change Access Permissions (big security problem)
> Normal behaviour should be that :
> - john can edit the page but don't see the portlet

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira