> -----Original Message----- > From: Mark Orciuch [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 20, 2002 9:22 AM > To: Jetspeed Developers List > Subject: RE: Link to a portlet in another profile > > > David, > > > > If you provide a link to a portlet in another user's psml, such as: > > > > > > > http://localhost/jetspeed/portal/media-type/html/user/admin/page/d > efault.psm > l/js_peid/321?action=controls.Maximize > > > > > > the portlet gets displayed correctly. However, if you click > > Home then you > > > get "<>" back and you have to log out and log back in to get > > your profile > > > displaying correctly again. Did anyone ever run into this before? > > > > > I see a number of bugs: > > > > 1. If Im logged on as anon, and I go to > > > > > http://localhost/jetspeed/portal/media-type/html/user/admin/page/d > efault.psm > l > > > > then fine, it disallows viewing of the portlets > > > > 2. If I then go to > > > > > > > http://localhost/jetspeed/portal/media-type/html/user/admin/page/d > efault.psm > l/js_peid/321?action=controls.Maximize > > > > It bypasses the security and goes down to the particular > specified portlet > > > > 3. If I try to go back to the address in #1, it remembers the maximized > state, and bypasses security again > > > > I traced the security hole to JetspeedTool.getPortletById() method. It > bypasses PortletFactory and gets it directly from the profile. I'll look > into fixing it.
Thats a very big security hole, great catch! > > > 4. this is the error as you described: you can no long get anymore pages > to load, just "<>" > > > > Ive never seen #4 before. Im wondering if its related to my commits from > last night. > > Are you using a fresh cvs checkout? > > > I traced that as well. The "js_peid" contained in the user's temp storage > was not being reset after maximizing the portlet. I already > checked in a fix > for that (Home.vm). Excellent. I think that solves a number of problems I've seen reported, but not sure if there was actaully a bug in the db David -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
