[
https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471482#comment-13471482
]
Hoang Minh Tien commented on WOOKIE-384:
----------------------------------------
Yes, that's the case private widget instance but public page.
It is the same with other widget like natter,todo, simplechat... everyone goes
to the page can be Bob or Alice to widgets.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the
> default), every other user will automatically use my token after I have
> approved access.
> This results in a severe security issue, e.g., my google contact list being
> shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try
> (which is okay).
> The behaviour for "true" should instead be to cache the token for every
> individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
