You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by bu...@apache.org on 2003/11/24 13:16:18 UTC
DO NOT REPLY [Bug 24939] New: -
administrative functions not secured
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24939>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24939
administrative functions not secured
Summary: administrative functions not secured
Product: Jetspeed
Version: 1.4b5-dev / CVS
Platform: PC
OS/Version: Windows NT/2K
Status: NEW
Severity: Major
Priority: Other
Component: Security
AssignedTo: jetspeed-dev@jakarta.apache.org
ReportedBy: olaf.romanski@tpg.pl
Here is what I do (using nightly build from 09.09.2003):
1. Create a new user (initially has USER role only)
2. Log on to Jetspeed with that user's name
3. Enter one of the following URL's into my browser:
http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.PortletUpdateAction&eventSubmit_doDelete=true&portlet_name=portl
et_to_be_deleted
and
http://localhost:8080/jetspeed/portal/template/Home/template/Home?
action=portlets.security.PermissionUpdateAction&eventSubmit_doInsert=true&name=i
nserted_permission_name
Result is:
Having only USER role I deleted portlet 'portlet_to_be_deleted' from portlet
registry and added new permission 'inserted_permission_name'
Should be:
Some message about unauthorized access attempt should be displayed, or at least
protected resources should not be modified.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org