You are correct in that there is no security checking enforced by Jetspeed when
calling actions (afaik). In this particular case, it's just a case of very insecure
code in the UserUpdateAction.
As far as I'm aware, you should do the action-specific security checking on each
action method. e.g.
String username = rundata.getUser().getUserName();
if (JetspeedSecurity.hasRole(username, "admin") || username.equals("admin")) or
whatever.
If time presents itself I'll get a patch.
stu
>>> [EMAIL PROTECTED] 11/09/03 07:49AM >>>
Dear all,
I have a questuion regarding jetspeed security. Now it seems that there is
no security checking is performed on Protlet actions. I mean a simple user
can execute actions like
portlets.security.UserUpdateAction doDelete, by simply placing it into the
URL.
I was expiriencing with the following hack:
I used an URL for pane 1101, appended portlets.security.UserUpdateAction as
action and the parameters that are neccesary for deleteing the user, and the
user got deleted, it did not matter that I did not have admin privileges.
http://localhost:8080/doctrine/portal/media-type/html/role/user/page/default.psml/js_pane/1101/action/portlets.security.UserUpdateAction/entityid/test?mode=delete&username=test&eventSubmit_doDelete=
Mz question is how can I force security checking in similar cases ?
Best regards,
Tamas Vezer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
