Steve, I think that is a great idea and would be useful for us if this was implemented, I can think of 5 or 6 portlets that I could use this on right now.
Aaron On Thu, Jul 12, 2012 at 1:30 AM, Steve Swinsburg <steve.swinsb...@gmail.com>wrote: > Hi all, > > We have been conducting a security audit of our portal and have discovered > a situation where data of another user can be exposed via the Switch > Identity portlet. > > For example, an admin user uses the Switch Identity portlet to switch to a > student, then can view that user's timetable and enrolment information, > which is meant to be private. A similar case applies to the email portlet. > There are other scenarios as well, as you could imagine, since you are > effectively being logged in as that user and can see and edit everything > they can. > > Aside from further locking down of the list of users that can access the > Switch Identity portlet, we are proposing a minor enhancement to the > portlet itself which is to set a session attribute that signals that the > user is impersonating the other user. Portlets could then read that session > attribute and if they display private information, decide not to render > themselves. The attribute would then be cleared at logout time. > > This should be a non obtrusive modification and the changes to portlets > only need to be made as required. For example we would change our own local > timetable portlet, but not worry about the weather portlet. > > We are interested to hear peoples thoughts on this and comments on the > proposed solution. If all is ok, I'll write it up in Jira and get it done. > > cheers, > Steve > -- > You are currently subscribed to uportal-dev@lists.ja-sig.org as: > asgr...@oakland.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/uportal-dev > > -- You are currently subscribed to uportal-dev@lists.ja-sig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
