Please do NOT commit this change. I, for one, have cases where one user would want to see another user's page. To restrict this is the role of the security service, and perhaps could be an optional feature there (or just be handled using normal security restrictions, if desired).
In my app, we have user pages, and group pages, and we need to allow sets of users to see each group page, and block other users from seeing group pages. The exact same is true for the user pages - our users can allow others to join them on their pages, and block others from seeing their pages. The security service definitions will be used to allow all this. Thanks. - Glenn -------------------------------------------- Glenn R. Golden, Systems Research Programmer University of Michigan School of Information [EMAIL PROTECTED] 734-615-1419 -------------------------------------------- > -----Original Message----- > From: Weaver, Scott [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 24, 2002 4:54 PM > To: '[EMAIL PROTECTED]' > Subject: psml profile "spoofing", a possible security hole > > > > I have noticed in jetspeed(1.3a3) that a user can spoof > another user's psml profile by copying a URL with psml > information into the location bar. This is also possible > when not logged in (as anon). > > Scenario: > > 1. User logs in as User_A. > 2. User clicks a tab, then copies the URL: > <http://localhost:8080/jetspeed/portal/user/user_a/page/defaul > t.psml/js_pane > /P-ee8a3d53d3-10048> > 4. User then logs out as User_A. > 5. Now the User (not logged in at all) copies the above url > into the browser. User_A's psml profile is now available to > the Anon user. > > Portlets with security are restricted (good), however, all > information that is not specifically secured is available. > IMOHO, there should be no way to access one user's psml > profile from another or by anon. I have patched the problem > and included it below. > > If this problem has already been addressed or if I'm totally > off base, please let me know. > > Thanks, > Scott > > Index: > src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon > troller.java > =================================================================== > RCS file: > /home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/ > modules/action > s/JetspeedAccessController.java,v > retrieving revision 1.4 > diff -u -r1.4 JetspeedAccessController.java > --- > src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon > troller.java > 14 May 2002 17:35:32 -0000 1.4 > +++ > src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon > troller.java > 24 Jun 2002 20:42:41 -0000 > @@ -94,6 +94,22 @@ > } > > // get the profile and store it in the RunData > + > + // This prevents one user from even seeing another's pane > + String requestedUser = > jdata.getParameters().getString("user","-1"); > + String sessionUser = jdata.getUser().getUserName(); > + // Prevent anon from accessing other panes > + if(sessionUser == null && !requestedUser.equals(" -1")) > + { > + jdata.getParameters().remove("user"); > + } > + // Prevent one person from accessing another's pane > + else if(!sessionUser.equalsIgnoreCase(requestedUser)) > + { > + jdata.getParameters().remove("user"); > + jdata.getParameters().add("user",sessionUser); > + } > + > Profile newProfile = Profiler.getProfile(jdata); > Profile currentProfile = jdata.getProfile(); > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
