[#UP-1153] Any user is able to enter Fragment Manager and create fragments

uPortal

Any user is able to enter Fragment Manager and create fragments

Created: 05/Jul/05 01:39 PM Updated: 06/Oct/06 02:39 PM

Component/s:

Aggregated Layouts

Affects Version/s:

2.4.1, 2.4.2, 2.5.0 M1, 2.5.1 RC1, 2.5.0 RC1, 2.5.0 RC3, 2.5.0 RC2, 2.5.0 GA, 2.5.1 RC2, 2.5.2 RC1, 2.4.4, 2.4.3, 2.5.1 RC3, 2.5.1 GA, 2.4.3.1, 2.5.3 RC1, 2.5.2 GA, 2.5.3 RC2, 2.5.3 RC3, 2.5.3 GA

Fix Version/s:

2.5.4

Original Estimate:	Unknown	Remaining Estimate:	Unknown	Time Spent:	Unknown
File Attachments:	1. CFragmentManager.diff (0.7 kb)

Description

« Hide

Any user can construct a URL to enter fragment manager. An example of this constructed url is:

http://localhost:8080/portal/tag.userLayoutRootNode.uP?uP_sparam=mode&mode=preferences&uP_fname=fragment-manager&uPcFM_action=default

This works as any user other than an unauthenticated guest.

The fix would be to perform permission checks on the channel itself, rather than in the theme.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Brad Szabo [06/Oct/06 02:39 PM]

Added authorization check in CFragmentManager which restricts access to those users who have Publishing permissions. This is the same permission used in UserInstance to set the authorizedFragmentPublisher parameter which controls access to the ALM Fragment Manager in the theme.

The Fragment Manager will now throw an AuthorizationException and fail to render for non-authorized users if accessed via the URL hack specified in the description.