Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 856083

Summary: An user without a portlet access permission is able to add its portlet in Edit Page
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Eiichi Nagai <enagai>
Component: PortalAssignee: Nobody <nobody>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.2.2.GACC: epp-bugs
Target Milestone: ---   
Target Release: 5.2.3.GA   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The function used by the floating window to display the applications (portlets, gadgets) from the application registry in the page edit view did not contain any permission checks. Consequence: A user could see portlets without having the proper entitlements. Fix: A permission check was added to the function which generates the list of available applications. Result: Application permissions are now properly taken into account when the floating window with the registry entries is rendered in the edit page view.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-02-10 03:20:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eiichi Nagai 2012-09-11 07:27:24 UTC 
Description of problem:
An user without a portlet access permission is able to add its portlet in Edit Page. However, its porlet cannot delete and does not become effective by its user.

How reproducible:
Always

Steps to Reproduce:
1. Start a default EPP server
2. Access portlet page (http;//localhost:8080/portlet)
3. Sign in by root user (root/gtn)
4. Change a portlet access permission.
 1) Group -> Administration -> Application Registry -> Categories
 2) Left Categories pane -> Choose “SiteMap” portlet in “Web” Category
 3) Add a administrator permission (Group Id=platform/administrators, Membership Type=*) and Delte a user permission (Group Id=/platform/users, Membership Type=*).
5. Sign in by User permission user (mary/gtn).
6. You can add “SiteMap” portlet without permission in Edit Page.
 1) Dashboard -> Click & Type Page Name -> Dashboard Editor -> Edit Page
 2) You can add “SiteMap” portlet and You cannot delete it.

Expected results:
I think that a portlet without access permission should not be displayed in Page Editor pane.
Comment 1 Martin Weiler 2012-09-28 12:34:48 UTC 
Committed revision 8850 to EPP_5_2_Branch.
Comment 3 Red Hat Bugzilla 2025-02-10 03:20:48 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.