On Fri, Feb 5, 2010 at 8:00 AM, <[email protected]> wrote:
> The DeveloperBrowser portlet seems to be able to add any roles to the > users that it's allowed to administer (those with role 'dev'). > So devmgr could give users the 'admin' role! > > Is there a way to configure a preference for this portlet that would > allow the deployer to specify the available roles, or to specify predefined > sets of required roles for the devmgr to choose from? > > Good point, a loophole in the delegated security. Could you create a JIRA issue and we can discuss and implement it from there, thanks
