[jboss-jira] [JBoss JIRA] Updated: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
Thomas Heute (JIRA)
jira-events at lists.jboss.org
Tue Jan 15 03:57:19 EST 2008
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=all ]
Thomas Heute updated JBPORTAL-1841:
-----------------------------------
Priority: Major (was: Critical)
> URL hacking allows edit mode in weather portlet
> -----------------------------------------------
>
> Key: JBPORTAL-1841
> URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
> Project: JBoss Portal
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Portal Core
> Affects Versions: 2.6.3 Final
> Reporter: Prabhat Jha
> Assigned To: Thomas Heute
> Attachments: weather-edit.png
>
>
> If you are not logged in then weather portlet does not show edit icon which is good. But if I hack the URL to http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWindow?windowstate=maximized?mode=edit, I am able to get into edit mode and change the zip code. Is this how it supposed to be?
> Sohil suggests:
> "no it shouldn't do that. Either the Edit Mode logic of the Portlet should protect against this (a bit painful design), or Portal's security layer should have the granularity to provide role-based protection of the "Edit Mode" of Portlets as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list