[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1997) Couple of CMS Security issues
Sohil Shah (JIRA)
jira-events at lists.jboss.org
Fri Apr 18 13:16:44 EDT 2008
Couple of CMS Security issues
-----------------------------
Key: JBPORTAL-1997
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1997
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.4 Final
Reporter: Sohil Shah
Assigned To: Sohil Shah
Fix For: 2.6.5 Final
The logic issue lies in the isPortletAccessible check in the CMSAdminPortlet. Side effects are:
because of this check, the Portlet itself is unavailable even if the resources in the CMS are accessible as per the permissions set on the CMS. Behavior contradicts its setup
usecases affected are:
1/ The CmsRootUser cannot access the CMS Admin tool. This completely defeats the purpose of the RootUser who should have all privileges to go in and fix things
2/ The CMSAdmin tool cannot be setup for access by Anonymous users
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list