Dear all, I have a questuion regarding jetspeed security. Now it seems that there is no security checking is performed on Protlet actions. I mean a simple user can execute actions like portlets.security.UserUpdateAction doDelete, by simply placing it into the URL.
I was expiriencing with the following hack: I used an URL for pane 1101, appended portlets.security.UserUpdateAction as action and the parameters that are neccesary for deleteing the user, and the user got deleted, it did not matter that I did not have admin privileges. http://localhost:8080/doctrine/portal/media-type/html/role/user/page/default.psml/js_pane/1101/action/portlets.security.UserUpdateAction/entityid/test?mode=delete&username=test&eventSubmit_doDelete= Mz question is how can I force security checking in similar cases ? Best regards, Tamas Vezer --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
