[jboss-jira] [JBoss JIRA] Reopened: (JBPORTAL-1239) page level security not honored in the navigation system

Stephen Westbom (JIRA) jira-events at lists.jboss.org
Tue Apr 24 17:06:30 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBPORTAL-1239?page=all ]

Stephen Westbom reopened JBPORTAL-1239:
---------------------------------------

             
This is broken on 2.6cr1 it was also broken on the beta version.  Security on the navigation tree isn't being honored. I can see nav tabs I have no permissions on

Also, can you document how to create a navigation system?  The one you have is really marginal at best.  Look at https://jsftab.dev.java.net/, that is a nice one, really simple, supports roles, nested tabs (sorry, doesn't work for portals, it uses jsf actions but it is KISS and well designed)

I really think pages/window stuff in object.xml should be separated from the navigation tree.

> page level security not honored in the navigation system
> --------------------------------------------------------
>
>                 Key: JBPORTAL-1239
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1239
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Security
>    Affects Versions: 2.6.Alpha2
>         Environment: Windows XP
>            Reporter: Stephen Westbom
>         Assigned To: Thomas Heute
>             Fix For: 2.6.Beta1
>
>
> In 2.4 sp1 pages are checked for security before being displayed as a tab in the navigation using this jsp:
> jboss-portal.sar\portal-core.war\WEB-INF\jsp\catalog\index.jsp
> This seems to be handled by the psib request parameter (a map). In 2.4 the map only gives you PortalNodeURLs that you have permissions on, in all the 2.6 versions you get all the siblingURLs (your term in the JSP page) regardless of the permission settings in the {project name}_object.xml
> Can this be fixed so that the psib parameter only gives you a handle to a map that gives you objects you have permissions to see?
> Thanks
> Stephen

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list