You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rave.apache.org by "Dennis van der Laan (Created) (JIRA)" <ji...@apache.org> on 2012/04/19 22:54:40 UTC

[jira] [Created] (RAVE-568) Widgets with preview-status can still be added

Widgets with preview-status can still be added
----------------------------------------------

                 Key: RAVE-568
                 URL: https://issues.apache.org/jira/browse/RAVE-568
             Project: Rave
          Issue Type: Bug
          Components: rave-web
    Affects Versions: 0.10.1
            Reporter: Dennis van der Laan


In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (RAVE-568) Widgets with preview-status can still be added

Posted by "Matt Franklin (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258167#comment-13258167 ] 

Matt Franklin commented on RAVE-568:
------------------------------------

Gadgets in preview mode can only be added to the page by the user who submitted them.  Other users can't add preview gadgets until they are published for everyone to see.  As an administrator currently has to publish the gadget as a manual step, there is an explicit action being taken by a human before any gadget is available for general consumption.

We should make it configurable whether a rave instance allows this feature to be enabled, but I given the constraints above, what are your concerns?
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (RAVE-568) Widgets with preview-status can still be added

Posted by "Dennis van der Laan (Updated) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis van der Laan updated RAVE-568:
-------------------------------------

    Component/s: rave-core
    
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (RAVE-568) Widgets with preview-status can still be added

Posted by "Matt Franklin (Closed) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Franklin closed RAVE-568.
------------------------------

    Resolution: Not A Problem
    
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (RAVE-568) Widgets with preview-status can still be added

Posted by "Dennis van der Laan (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258446#comment-13258446 ] 

Dennis van der Laan commented on RAVE-568:
------------------------------------------

I added a bug (RAVE-569) and a story (RAVE-570). Do you want me to close this issue?
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (RAVE-568) Widgets with preview-status can still be added

Posted by "Dennis van der Laan (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258187#comment-13258187 ] 

Dennis van der Laan commented on RAVE-568:
------------------------------------------

When using a category filter, all users see all matching gadgets, regardless of the gadget's status. The store shows the 'Add' button, so users can add these gadgets to their pages. The gadgets are not being shown if in preview, but still... I don't think users will be happy with this kind of behavior.

IMO all submitted gadgets should first be reviewed by an admin before being addable by any user, including the user who submitted the gadget. At least, that is what I expect, based on the status 'preview' and 'published'.
This is purely based on how I see our Rave environment being used within our organisation, and this might not be the general idea of how submitting and using gadgets should work in Rave (users can use their own gadgets in iGoogle or Netvibes, too). This being said, I would like Rave to have an option to enable or disable the ability for a widget owner to use a preview-statused gadget.

Secondly, the widget store now shows different results, depending on if a filter is applied or not. If I search for text, or if I do not filter the contents of the store, I only see published widgets. If I filter based on a category, all widgets are shown, regardless of their status. So, if there are only 'communications' gadgets in the store, and I select this category, I see more results in the store than when not selecting a category. I think this is not intuitive, at the least.
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (RAVE-568) Widgets with preview-status can still be added

Posted by "Matt Franklin (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258201#comment-13258201 ] 

Matt Franklin commented on RAVE-568:
------------------------------------

So the search and category selection behaviors sound like bugs.  I think we should add 2 new jira issues:  

1) bug for filter applicaiton
2) new story to configure whether users can add widgets they put into the store to their page

If you have time to create and describe these issues that would be great.  If not, I will try to do them later.
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with 'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira