DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24939>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24939 administrative functions not secured Summary: administrative functions not secured Product: Jetspeed Version: 1.4b5-dev / CVS Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Major Priority: Other Component: Security AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Here is what I do (using nightly build from 09.09.2003): 1. Create a new user (initially has USER role only) 2. Log on to Jetspeed with that user's name 3. Enter one of the following URL's into my browser: http://localhost:8080/jetspeed/portal/template/Home/template/Home? action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl et_to_be_deleted and http://localhost:8080/jetspeed/portal/template/Home/template/Home? action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i nserted_permission_name Result is: Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet registry and added new permission 'inserted_permission_name' Should be: Some message about unauthorized access attempt should be displayed, or at least protected resources should not be modified. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
