> > We're trying to develop a jetspeed toolkit for internal use by > > serparate development teams. However, right now any user can > > substitute someone else's username in the url for any Jetspeed actions > > and have free run of their portlets (assuming they are in the same > > group) reconfiguring them, viewing their output, etc. I thought the > > allow-if-owner security tag would fix this, but it doesn't seem to > > have done anything. > > > > Does anyone know how I can get Jetspeed to refuse attempts by user X > > to hit portlets defined in user Y's default.psml when they are in the > > same group? Thank you. > > > > Mike McLawhorn > > > I thought that the <allow-if-owner> would handle this too. > Could you please log a detailed bug on this one: >
This is the same bug I reported in bugzill bug 14907 over a month ago. jim arnott Reuters R&D -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
