rave-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Franklin (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RAVE-568) Widgets with preview-status can still be added
Date Fri, 20 Apr 2012 12:02:39 GMT

    [ https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258167#comment-13258167
] 

Matt Franklin commented on RAVE-568:
------------------------------------

Gadgets in preview mode can only be added to the page by the user who submitted them.  Other
users can't add preview gadgets until they are published for everyone to see.  As an administrator
currently has to publish the gadget as a manual step, there is an explicit action being taken
by a human before any gadget is available for general consumption.

We should make it configurable whether a rave instance allows this feature to be enabled,
but I given the constraints above, what are your concerns?
                
> Widgets with preview-status can still be added
> ----------------------------------------------
>
>                 Key: RAVE-568
>                 URL: https://issues.apache.org/jira/browse/RAVE-568
>             Project: Rave
>          Issue Type: Bug
>          Components: rave-core, rave-web
>    Affects Versions: 0.10.1
>            Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter, widgets with
'preview' status are shown also. Users are able to add preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status, this seems
like a security issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message