Randy Watler said: > David, Is a message missing from the list or did you get a message from 'David' privately?
> > I have done some significant cleanup in the PageManager and the Customizer > updates seem to be working for me at this point. I think it is safe to say > that the CastorXmlPageManager version out there now is causing at least > some > of the problems you are encountering. Will have a patch in the morning at > some point. I'd like to add another problem I encountered. Because the guest user now is a proper user, we should think of some way to disallow login to this user as it is meant to be used as buildin/internal user only. A simple solution to that would be setting the user is_enabled flag to false, but that still leaves the possibility someone enables it again through the UserManager. I personally would like to see a stronger protection against login of this user. This could be done by adding one more boolean attribute to the security_credential table (like is_buildin) or a hardcoded check in the UserManager.authenticate against the anonymous username. This name (default 'guest') is now managed by the Profiler though, so maybe we should move it to the UserManager then. Another issue: the security rules on the Administrative folder won't allow a non-admin user to change its password. I will move the change-password.psml into the root folder to fix this. If time permits, I will also check in tonight the second part of my JS2-151 issue containing enforced password change on first login. This includes automatic navigation to the Change Password psml with no way to navigate from it until the password is changed (logoff is still a way out though). Also included is a configurable set of days before password expiration when a user will be asked to change its password. The last day before expiration will require the password to be changed. These features are currently *not* (longer) working though as result of the new 'guest' user configuration which now *also* is required to change its password, even if this user isn't logged on at all. Kinda blocking problem :( I need this handled before I will check in my changes. Regards, Ate > > As I replied earlier, the security settings on "/" are preventing you from > viewing the root folder back link after decending into the Public folder. > It > is possible to define the access permissions on a folder to be the union > of > all of its children's access permissions, but that seems like it might be > too computationally intense to be worth it. I don't know what is best. For > now, you can propagate the current constraints in "/" folder.metadata to > its > children and open the permissions on the "/" folder itself to allow guest > access. > > I am currently having issues with the SiteBrowserPortlet: it apparently > does > not set the JAAS subject before it accesses the PageManager. Since the > access is now checked in the PageManager and Folder access methods, it is > getting SecurityExceptions. I have just started looking into this, but am > taking a break until morning. > > Talk to you then, > > Randy > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
