You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rave.apache.org by "Matt Franklin (Commented) (JIRA)" <ji...@apache.org> on 2012/04/20 14:02:39 UTC

[jira] [Commented] (RAVE-568) Widgets with preview-status can still be added

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258167#comment-13258167 ] 

Matt Franklin commented on RAVE-568:
------------------------------------

Gadgets in preview mode can only be added to the page by the user who submitted them.  Other users can't add preview gadgets until they are published for everyone to see.  As an administrator currently has to publish the gadget as a manual step, there is an explicit action being taken by a human before any gadget is available for general consumption.

We should make it configurable whether a rave instance allows this feature to be enabled, but I given the constraints above, what are your concerns?
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira