Enforce SELECT_PORTLET_TYPE on type selection

Description

(This does not amount to a security vulnerability in released code, only code in master towards 4.1, and so is amenable to tracking in JIRA.)

Beyond requiring SELECT_PORTLET_TYPE to see a given portlet type in the selector UI, require that a user have SELECT_PORTLET_TYPE on the type that he or she actually selects.

Currently, a user can simply edit the integer in the form

http://cl.ly/image/2s0v2j3X3m3P

and thereby proceed creating a portlet of a type for which the user lacks SELECT_PORTLET_TYPE permission.

(Testing just now, I used this technique to get at the workflow for publishing a Bookmarks portlet, as a user without SELECT_PORTLET_TYPE on the Bookmarks type:

http://cl.ly/image/3B1N3g151Z1C

)

This amounts to a "Access control enforced by presentation layer" vulnerability ( https://www.owasp.org/index.php/Access_control_enforced_by_presentation_layer ) .

Environment

None

Activity

Show:
Andrew Wills
May 23, 2014, 5:38 PM

done.

Assignee

Andrew Wills

Reporter

Andrew Petro

Estimated End Date

None

Components

Fix versions

Priority

Critical
Configure