Is this concerning uPortal versions prior to 4.x? I believe uP4 already has this feature. When managing a portlet there is an option to "Hide portlet during impersonation" which does exactly what you're describing. ----------------------------- Kevin Wilkinson Student Affairs IT University of California, Irvine (949) 824-0437
Please think of the environment before printing this message. ----------------------------- On Jul 12, 2012, at 4:58 AM, Aaron Grant wrote: > Steve, > > I think that is a great idea and would be useful for us if this was > implemented, I can think of 5 or 6 portlets that I could use this on right > now. > > Aaron > > On Thu, Jul 12, 2012 at 1:30 AM, Steve Swinsburg <[email protected]> > wrote: > Hi all, > > We have been conducting a security audit of our portal and have discovered a > situation where data of another user can be exposed via the Switch Identity > portlet. > > For example, an admin user uses the Switch Identity portlet to switch to a > student, then can view that user's timetable and enrolment information, which > is meant to be private. A similar case applies to the email portlet. There > are other scenarios as well, as you could imagine, since you are effectively > being logged in as that user and can see and edit everything they can. > > Aside from further locking down of the list of users that can access the > Switch Identity portlet, we are proposing a minor enhancement to the portlet > itself which is to set a session attribute that signals that the user is > impersonating the other user. Portlets could then read that session attribute > and if they display private information, decide not to render themselves. The > attribute would then be cleared at logout time. > > This should be a non obtrusive modification and the changes to portlets only > need to be made as required. For example we would change our own local > timetable portlet, but not worry about the weather portlet. > > We are interested to hear peoples thoughts on this and comments on the > proposed solution. If all is ok, I'll write it up in Jira and get it done. > > cheers, > Steve > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/uportal-dev > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/uportal-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
