[jboss-jira] [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet

URL hacking allows edit mode in weather portlet ----------------------------------------------- Key: JBPORTAL-1841 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841 Project: JBoss Portal Issue Type: Feature Request Security Level: Public(Everyone can see) Components: Portal Core Affects Versions: 2.6.3 Final Reporter: Prabhat Jha Assigned To: Thomas Heute Attachments: weather-edit.png If you are not logged in then weather portlet does not show edit icon which is good. But if I hack the URL to http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi..., I am able to get into edit mode and change the zip code. Is this how it supposed to be? Sohil suggests: "no it shouldn't do that. Either the Edit Mode logic of the Portlet should protect against this (a bit painful design), or Portal's security layer should have the granularity to provide role-based protection of the "Edit Mode" of Portlets as a cross cutting aspect. I like the second option better personally"