Assuming you are using the registry based security, then make sure the security-ref associated with the <portlet> or <entry> include <allow-if-owner> and does not allow access to all users.
From security.xreg:
<security-entry name="owner-only">
<meta-info>
<title>Owner-only</title>
<description>Full access to the owner.</description>
</meta-info>
<access action="*">
<allow-if-owner/>
</access>
</security-entry>
From WEB-INF/psml/user/turbine/html/default.psml:
<portlets id="01">
<security-ref parent="owner-only"/>
<metainfo>
<title>Default Jetspeed page</title>
</metainfo>
<layout position="-1" size="-1"/>
<control name="TabControl"/>
<controller name="TabController"/>
<portlets id="02">
<security-ref parent="owner-only"/>
<metainfo>
<title>Home</title>
</metainfo>
....
</portlet>
....
</portlet>
Paul Spencer
Michael McLawhorn wrote:
Hi,
Thanks for the feedback. I finally got 1.4b3 working by doing a fresh install and rolling my content into it. It's not 100% yet, but I'm getting close. However, my reason for making the upgrade was this:
We're trying to develop a jetspeed toolkit for internal use by serparate development teams. However, right now any user can substitute someone else's username in the url for any Jetspeed actions and have free run of their portlets (assuming they are in the same group) reconfiguring them, viewing their output, etc. I thought the allow-if-owner security tag would fix this, but it doesn't seem to have done anything.
Does anyone know how I can get Jetspeed to refuse attempts by user X to hit portlets defined in user Y's default.psml when they are in the same group? Thank you.
Mike McLawhorn
_________________________________________________________________
MSN 8: advanced junk mail protection and 2 months FREE*. http://join.msn.com/?page=features/junkmail
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
