[EMAIL PROTECTED] wrote:
>
> I was fixing a couple of bugs in Jetspeed this weekend when I found this in the
> TODO list:
>
> - Make sure that Admin portlets can't be instantiated from not within the
> Admin screen.
>
> Kevin, do you *really* consider this to be a high priority release stopper ?
> I don't see this having a lot of impact and any simple fix we may make will be
> a hack.
> I'd much rather wait for a correct implementation of security features in the
> portlet registry and relegate this bug to normal priority.
No. I think this is a big issue. Just do a:
/servlet/jetspeed/portlet/JavaRuntimePortlet and you will get the users
JVM info :(
The security fix will be to require Turbine authentication on the Admin
screen. If the portlet requires administration access I am going to do
a lookup to make sure they are in the Turbine admin role. This will
require user authentication BTW.
Kevin
--
Kevin A Burton ([EMAIL PROTECTED])
http://relativity.yi.org
Message to SUN: "Please Open Source Java!"
"For evil to win is for good men to do nothing."
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
