[jira] Updated: (JS1-421) [FIX] Administrative functions not secured

Fri, 02 Apr 2004 10:52:08 -0800 

The following issue has been updated:

    Updater: Mark Orciuch (mailto:[EMAIL PROTECTED])
       Date: Fri, 2 Apr 2004 10:52 AM
    Changes:
             type changed from Bug to Improvement
             priority changed from Blocker to Major
    ---------------------------------------------------------------------
For a full history of the issue, see:

  http://issues.apache.org/jira/browse/JS1-421?page=history

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS1-421

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS1-421
    Summary: [FIX] Administrative functions not secured
       Type: Improvement

     Status: Resolved
   Priority: Major
 Resolution: FIXED

    Project: Jetspeed
 Components: 
             Security
   Fix Fors:
             1.5
   Versions:
             1.4b5-dev / CVS

   Assignee: Mark Orciuch
   Reporter: Olaf Romanski

    Created: Mon, 24 Nov 2003 12:16 PM
    Updated: Fri, 2 Apr 2004 10:52 AM
Environment: Operating System: Windows NT/2K
Platform: PC

Description:
Here is what I do (using nightly build from 09.09.2003):
1. Create a new user (initially has USER role only)
2. Log on to Jetspeed with that user's name
3. Enter one of the following URL's into my browser:

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
et_to_be_deleted

and

http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
nserted_permission_name

Result is:
Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet 
registry and added new permission 'inserted_permission_name'
Should be:
Some message about unauthorized access attempt should be displayed, or at least 
protected resources should not be modified.


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to