Hi Kevin, Yes this was for uP 3.2. Thanks for the info about uP4, that's great.
cheers, Steve On 13/07/2012, at 1:59 AM, Kevin Wilkinson wrote: > Is this concerning uPortal versions prior to 4.x? I believe uP4 already has > this feature. When managing a portlet there is an option to "Hide portlet > during impersonation" which does exactly what you're describing. > ----------------------------- > Kevin Wilkinson > Student Affairs IT > University of California, Irvine > (949) 824-0437 > > Please think of the environment before printing this message. > ----------------------------- > > On Jul 12, 2012, at 4:58 AM, Aaron Grant wrote: > >> Steve, >> >> I think that is a great idea and would be useful for us if this was >> implemented, I can think of 5 or 6 portlets that I could use this on right >> now. >> >> Aaron >> >> On Thu, Jul 12, 2012 at 1:30 AM, Steve Swinsburg <steve.swinsb...@gmail.com> >> wrote: >> Hi all, >> >> We have been conducting a security audit of our portal and have discovered a >> situation where data of another user can be exposed via the Switch Identity >> portlet. >> >> For example, an admin user uses the Switch Identity portlet to switch to a >> student, then can view that user's timetable and enrolment information, >> which is meant to be private. A similar case applies to the email portlet. >> There are other scenarios as well, as you could imagine, since you are >> effectively being logged in as that user and can see and edit everything >> they can. >> >> Aside from further locking down of the list of users that can access the >> Switch Identity portlet, we are proposing a minor enhancement to the portlet >> itself which is to set a session attribute that signals that the user is >> impersonating the other user. Portlets could then read that session >> attribute and if they display private information, decide not to render >> themselves. The attribute would then be cleared at logout time. >> >> This should be a non obtrusive modification and the changes to portlets only >> need to be made as required. For example we would change our own local >> timetable portlet, but not worry about the weather portlet. >> >> We are interested to hear peoples thoughts on this and comments on the >> proposed solution. If all is ok, I'll write it up in Jira and get it done. >> >> cheers, >> Steve >> -- >> You are currently subscribed to uportal-dev@lists.ja-sig.org as: >> asgr...@oakland.edu >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/uportal-dev >> >> >> -- >> >> You are currently subscribed to uportal-dev@lists.ja-sig.org as: >> kwilk...@uci.edu >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/uportal-dev > > -- > > You are currently subscribed to uportal-dev@lists.ja-sig.org as: > steve.swinsb...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/uportal-dev -- You are currently subscribed to uportal-dev@lists.ja-sig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
