> Can you open a Bugzilla issue for this so we can track > this change?
Sure, just wanted to do a sanity check before I opened a bug. I think a configuration property like "strict.portlet.security" that could be turned on and off may do the trick. However, we may want to research it more. *===================================* * Scott T Weaver������������������� * * Jakarta Jetspeed Portal Project�� * * [EMAIL PROTECTED] * *===================================* � > -----Original Message----- > From: Mark Orciuch [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 3:05 PM > To: Jetspeed Developers List > Subject: RE: Possible security bug with portlet default security. > > Scott, > > > When adding a portlet through the customizer, it's security ref > > is set to the " services.PortalToolkit.default.user.security.ref" > > value in JS.props. > > > > Is this correct? > > > > I can see this for portlet sets but not for individual portlets > > that may have tighter restriction set at the registry level. I > > vote that this logic be removed as it can give a user more access > > then what was intended. > > > > I see your point. The default user security ref is 'owner-only' so if > registry-level security for a portlet is more restrictive, 'owner-only' > would override it. I still think that default security ref is a useful > feature. My vote would be to not set default security ref if registry- > level > constraint exists. Can you open a Bugzilla issue for this so we can track > this change? > > Best regards, > > Mark Orciuch - [EMAIL PROTECTED] > Jakarta Jetspeed - Enterprise Portal in Java > http://jakarta.apache.org/jetspeed/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
