I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml profile by copying a URL with psml information into the location bar. This is also possible when not logged in (as anon).
Scenario: 1. User logs in as User_A. 2. User clicks a tab, then copies the URL: <http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane /P-ee8a3d53d3-10048> 4. User then logs out as User_A. 5. Now the User (not logged in at all) copies the above url into the browser. User_A's psml profile is now available to the Anon user. Portlets with security are restricted (good), however, all information that is not specifically secured is available. IMOHO, there should be no way to access one user's psml profile from another or by anon. I have patched the problem and included it below. If this problem has already been addressed or if I'm totally off base, please let me know. Thanks, Scott Index: src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java =================================================================== RCS file: /home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action s/JetspeedAccessController.java,v retrieving revision 1.4 diff -u -r1.4 JetspeedAccessController.java --- src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java 14 May 2002 17:35:32 -0000 1.4 +++ src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java 24 Jun 2002 20:42:41 -0000 @@ -94,6 +94,22 @@ } // get the profile and store it in the RunData + + // This prevents one user from even seeing another's pane + String requestedUser = jdata.getParameters().getString("user","-1"); + String sessionUser = jdata.getUser().getUserName(); + // Prevent anon from accessing other panes + if(sessionUser == null && !requestedUser.equals(" -1")) + { + jdata.getParameters().remove("user"); + } + // Prevent one person from accessing another's pane + else if(!sessionUser.equalsIgnoreCase(requestedUser)) + { + jdata.getParameters().remove("user"); + jdata.getParameters().add("user",sessionUser); + } + Profile newProfile = Profiler.getProfile(jdata); Profile currentProfile = jdata.getProfile();
