[gatein-issues] [JBoss JIRA] Updated: (GTNPORTAL-648) Portlet Permissions : I can view a portlet I shouldn't

Portlet Permissions : I can view a portlet I shouldn't ------------------------------------------------------ Key: GTNPORTAL-648 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-648 Project: GateIn Portal Issue Type: Bug Affects Versions: 3.0.0-Beta05-CP01 Reporter: Benjamin Paillereau Assignee: Julien Viet Priority: Critical Fix For: 3.0.0-GA Use case : - Connect as root -- john => make sure, he's only member:/platform/administrators -- I put a simple portlet in a page with Access Permission for manager:/platform/administrators (only root) - Connect as john - then try step 1 then 2 1/ submenu error -- go to the page with the limited access portlet --- I don't see the portlet in the page (normal behaviour) -- => error in the admin bar, we don't see sub-menus anymore 2/ security error -- Go to Site / Edit Navigation / Edit Node's page --- john can edit the page with the portlet he should'nt be able to see --- john can ---- see the portlet view via Switch View mode (security problem with view) ---- edit the portelt and change Access Permissions (big security problem) Normal behaviour should be that : - john can edit the page but don't see the portlet