[
https://issues.apache.org/jira/browse/RAVE-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anthony Carlucci resolved RAVE-298.
-----------------------------------
Resolution: Fixed
Documentation has been published on how to implement model permission security
for the rest of our models and services:
http://incubator.apache.org/rave/documentation/index.html
I will be closing this ticket and creating a separate set of issues to finish
implementing ModelPermissionEvaluator classes for the rest of our models and
annotating our service interfaces.
> Page manipulations are unchecked
> --------------------------------
>
> Key: RAVE-298
> URL: https://issues.apache.org/jira/browse/RAVE-298
> Project: Rave
> Issue Type: Bug
> Affects Versions: 0.4-INCUBATING
> Reporter: Jasha Joachimsthal
> Assignee: Anthony Carlucci
> Priority: Critical
> Fix For: 0.5-INCUBATING
>
>
> Currently it's possible to add/move/delete a widget on a page that does not
> belong to the logged in user by changing request parameters or the id in the
> url. Checks must be added to page and widget manipulations if the user that
> does the manipulations are performed by the owner.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
