morciuch 2003/01/15 10:01:29
Modified: docs/site changes.html
src/java/org/apache/jetspeed/modules/actions/controls
Customize.java
webapp/WEB-INF/conf security.xreg
webapp/WEB-INF/psml/user/anon/html default.psml
webapp/WEB-INF/psml/user/anon/html/en default.psml news.psml
webapp/WEB-INF/psml/user/anon/html/es default.psml news.psml
webapp/WEB-INF/psml/user/anon/wml default.psml
webapp/WEB-INF/psml/user/anon/wml/en default.psml
webapp/WEB-INF/psml/user/anon/xml default.psml
xdocs changes.xml
Log:
Added checks to prevent unauthorized customize access to properly protected psml
resources (see Bugzilla bug# 15968). "Properly protected" means having a security
constraint for the psml AND each pane it contains.
Also, protected anonymous psml from unauthorized customization via newly added
"anon-view_admin-all" constraint.
Revision Changes Path
1.95 +3 -0 jakarta-jetspeed/docs/site/changes.html
Index: changes.html
===================================================================
RCS file: /home/cvs/jakarta-jetspeed/docs/site/changes.html,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -r1.94 -r1.95
--- changes.html 14 Jan 2003 19:54:41 -0000 1.94
+++ changes.html 15 Jan 2003 18:01:28 -0000 1.95
@@ -133,6 +133,9 @@
</li>
-->
<li>
+ Fixed - Bug # 15968 - 2003/01/15 - Added check to prevent unauthorized customize
access to properly protected psml (MO)
+</li>
+<li>
Fixed - Bug # 15972 - 2003/01/13 - Role merge feature fails to properly sequence
the resulting panes (MO)
</li>
<li>
1.15 +24 -0
jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actions/controls/Customize.java
Index: Customize.java
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actions/controls/Customize.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- Customize.java 8 Nov 2002 23:13:44 -0000 1.14
+++ Customize.java 15 Jan 2003 18:01:28 -0000 1.15
@@ -70,6 +70,9 @@
import org.apache.jetspeed.services.statemanager.SessionState;
import org.apache.jetspeed.util.template.JetspeedLink;
import org.apache.jetspeed.util.template.JetspeedLinkFactory;
+import org.apache.jetspeed.services.security.PortalResource;
+import org.apache.jetspeed.services.JetspeedSecurity;
+import org.apache.jetspeed.om.security.JetspeedUser;
import java.util.Enumeration;
import java.util.Stack;
@@ -194,6 +197,27 @@
if (found!=null)
{
+ PortalResource portalResource = new PortalResource(found);
+ try
+ {
+ JetspeedLink jsLink = JetspeedLinkFactory.getInstance(rundata);
+ portalResource.setOwner(jsLink.getUserName());
+ JetspeedLinkFactory.putInstance(jsLink);
+ }
+ catch (Exception e)
+ {
+ Log.warn(e.toString());
+ portalResource.setOwner(null);
+ }
+
+ if(!JetspeedSecurity.checkPermission((JetspeedUser) jdata.getUser(),
+ portalResource,
+
JetspeedSecurity.PERMISSION_CUSTOMIZE))
+ {
+ Log.warn("User " + jdata.getUser().getUserName() + " has no
customize permission for portlet with id " + peid);
+ jdata.setMessage("Sorry, you have no customize permission for this
portlet");
+ return;
+ }
jdata.setCustomized(found);
jdata.setScreenTemplate("Customize");
}
1.5 +12 -0 jakarta-jetspeed/webapp/WEB-INF/conf/security.xreg
Index: security.xreg
===================================================================
RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/conf/security.xreg,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- security.xreg 25 Aug 2002 20:14:59 -0000 1.4
+++ security.xreg 15 Jan 2003 18:01:28 -0000 1.5
@@ -51,4 +51,16 @@
<allow-if role="user"/>
</access>
</security-entry>
+ <security-entry name="anon-view_admin-all">
+ <meta-info>
+ <title>Anon+V and Admin+C</title>
+ <description>Anonymous can view and Admin have full
access.</description>
+ </meta-info>
+ <access action="*">
+ <allow-if role="admin"/>
+ </access>
+ <access action="view">
+ <allow-if user="anon"/>
+ </access>
+ </security-entry>
</registry>
1.7 +6 -0 jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/default.psml
Index: default.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/default.psml,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- default.psml 20 Nov 2002 00:18:54 -0000 1.6
+++ default.psml 15 Jan 2003 18:01:28 -0000 1.7
@@ -1,5 +1,8 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml";>
+
+ <security-ref parent="anon-view_admin-all"/>
+
<metainfo>
<title>Default Jetspeed Page</title>
</metainfo>
@@ -11,6 +14,7 @@
</controller>
<portlets id="101">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="RowController">
<parameter name="sizes" value="66%,34%"/>
</controller>
@@ -37,6 +41,7 @@
</portlets>
<portlets id="107">
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>RSS</title>
</metainfo>
@@ -80,6 +85,7 @@
</portlets>
<portlets id="114">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="TwoColumns"/>
<metainfo>
1.8 +4 -0
jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/default.psml
Index: default.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/default.psml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- default.psml 20 Nov 2002 00:18:54 -0000 1.7
+++ default.psml 15 Jan 2003 18:01:28 -0000 1.8
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml";>
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>Default Jetspeed Page</title>
</metainfo>
@@ -11,6 +12,7 @@
</controller>
<portlets id="101">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="RowController">
<parameter name="sizes" value="66%,34%"/>
</controller>
@@ -31,6 +33,7 @@
</portlets>
<portlets id="107">
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>RSS</title>
</metainfo>
@@ -74,6 +77,7 @@
</portlets>
<portlets id="114">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="TwoColumns"/>
<metainfo>
1.5 +1 -0 jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/news.psml
Index: news.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/en/news.psml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- news.psml 20 Nov 2002 00:18:54 -0000 1.4
+++ news.psml 15 Jan 2003 18:01:28 -0000 1.5
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets id="100" user="default" xmlns="http://xml.apache.org/jetspeed/2000/psml";>
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>News Page</title>
</metainfo>
1.5 +4 -0
jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/default.psml
Index: default.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/default.psml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- default.psml 20 Nov 2002 00:18:55 -0000 1.4
+++ default.psml 15 Jan 2003 18:01:29 -0000 1.5
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets id="100" xmlns="http://xml.apache.org/jetspeed/2000/psml";>
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>Pagina en espa�ol por defecto</title>
</metainfo>
@@ -11,6 +12,7 @@
</controller>
<portlets id="101">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="RowController">
<parameter name="sizes" value="66%,34%"/>
</controller>
@@ -31,6 +33,7 @@
</portlets>
<portlets id="107">
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>RSS</title>
</metainfo>
@@ -75,6 +78,7 @@
</portlets>
<portlets id="115">
+ <security-ref parent="anon-view_admin-all"/>
<controller name="TwoColumns"/>
<metainfo>
1.5 +1 -0 jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/news.psml
Index: news.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/html/es/news.psml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- news.psml 20 Nov 2002 00:18:55 -0000 1.4
+++ news.psml 15 Jan 2003 18:01:29 -0000 1.5
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets id="100" user="default" xmlns="http://xml.apache.org/jetspeed/2000/psml";>
+ <security-ref parent="anon-view_admin-all"/>
<metainfo>
<title>P�gina de Noticias</title>
</metainfo>
1.5 +1 -1 jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/default.psml
Index: default.psml
===================================================================
RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/default.psml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- default.psml 23 Jul 2002 01:24:21 -0000 1.4
+++ default.psml 15 Jan 2003 18:01:29 -0000 1.5
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets xmlns="http://xml.apache.org/jetspeed/2000/psml";>
-
+ <security-ref parent="anon-view_admin-all"/>
<controller name="FlowPortletController"/>
<entry parent="StockQuote">
1.4 +1 -0
jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/en/default.psml
Index: default.psml
===================================================================
RCS file:
/home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/wml/en/default.psml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- default.psml 23 Jul 2002 00:03:56 -0000 1.3
+++ default.psml 15 Jan 2003 18:01:29 -0000 1.4
@@ -1,5 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<portlets xmlns="http://www.apache.org/2000/02/CVS";>
+ <security-ref parent="anon-view_admin-all"/>
<controller name="FlowPortletController"/>
<control name="ClearPortletControl"/>
1.3 +1 -1 jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/xml/default.psml
Index: default.psml
===================================================================
RCS file: /home/cvs/jakarta-jetspeed/webapp/WEB-INF/psml/user/anon/xml/default.psml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- default.psml 28 Jun 2002 05:37:38 -0000 1.2
+++ default.psml 15 Jan 2003 18:01:29 -0000 1.3
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<portlets xmlns="http://xml.apache.org/jetspeed/2000/psml";>
-
+ <security-ref parent="anon-view_admin-all"/>
<control name="ClearPortletControl"/>
<controller name="ColumnController"/>
1.112 +4 -1 jakarta-jetspeed/xdocs/changes.xml
Index: changes.xml
===================================================================
RCS file: /home/cvs/jakarta-jetspeed/xdocs/changes.xml,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- changes.xml 14 Jan 2003 19:54:41 -0000 1.111
+++ changes.xml 15 Jan 2003 18:01:29 -0000 1.112
@@ -23,6 +23,9 @@
</li>
-->
<li>
+ Fixed - Bug # 15968 - 2003/01/15 - Added check to prevent unauthorized customize
access to properly protected psml (MO)
+</li>
+<li>
Fixed - Bug # 15972 - 2003/01/13 - Role merge feature fails to properly sequence
the resulting panes (MO)
</li>
<li>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
