Ticket #11174 (closed Bug: fixed)

Opened 4 years ago

Last modified 2 years ago

Portal Members can't add portlets to their dashboard

Reported by: davidjb Owned by: garbas
Priority: major Milestone: 4.x
Component: General Version: 4.1
Keywords: TuneUp Cc: asigottech, naro

Description

In Plone 4.0, regular users (eg Member role only) are not able to add portlets to their own dashboard because the "Add portlet" drop-down menus are empty, due to a lack of permissions. Manipulating (hiding, showing, deleting) default portlets works fine.

Assigning Member the "Portlets: Manage portlets" permission in the Security tab of the ZMI means the users can now see the listing of portlets in the drop-down and add portlets accordingly. That said, assigning this permission is not an option because it gives the users access to @@manage-portlets everywhere on the site.

Users should be able to add portlets to their own dashboards, as was the case in Plone 3.

If there's a use case for locking users out of adding portlets to their dashboard, then a separate permission should be added.

Change History

comment:1 Changed 4 years ago by kleist

  • Component changed from Unknown to Infrastructure

comment:2 Changed 3 years ago by jessilfp

  • Keywords TuneUp added

Please try to verify this

comment:3 Changed 3 years ago by garbas

  • Owner set to garbas
  • Status changed from new to assigned

comment:4 Changed 3 years ago by buchi

The add view for portlet assignments is protected by the plone.app.portlets.ManagePortlets permission. Changing this to plone.app.portlets.ManageOwnPortlets fixes this issue. However I don't know if this view needs to be protected at all. Permission checking for portlet assignments seems to be done in IPortletPermissionChecker.

Before Zope 2.12.9 the add view used to work because of a bug in Products.Five where permissions were ignored for view directives. (see:  https://bugs.launchpad.net/zope2/+bug/578326)

comment:5 Changed 3 years ago by ree

According to buchi, the solution is to use the following in an override::

<browser:view for="plone.portlets.interfaces.IPortletAssignmentMapping" name="+" class="plone.app.portlets.browser.adding.PortletAdding" allowed_interface="plone.app.portlets.browser.interfaces.IPortletAdding" permission="plone.app.portlets.ManageOwnPortlets" />

My question is:

Has there been any auditing to see that this possibly does not open a security hole? (e.g. security escalation by normal user adding a hidden portlet, which then gets executed by the admin, or the like)?

In other words, is it for sure that the permissions escalated this way from ManagePortlets to ManageOwnPorlets are checked another time via the IPortletPermissionChecker - or is this just a theory?

Thanks for any info in advance...

comment:6 Changed 3 years ago by asigottech

  • Cc asigottech added
  • Priority changed from major to critical

comment:7 Changed 3 years ago by asigottech

  • Priority changed from critical to major

comment:8 Changed 3 years ago by naro

  • Cc naro added

comment:9 Changed 2 years ago by gaudenzius

  • Status changed from assigned to confirmed
  • Version set to 4.1

AFAICS It's not possible to add a portlet to the dashboard of another user. There is a check to avoid this in the permission checker. And adding regular portlets is still protected by the ManagePortlets permission.

OTOH I'm not sure if it's right to just substitute ManagePortlets by ManageOwnPortlets. What if you want to disable changes to the dashboard and still allow normal portlet changes? Alternatives are either registering two add views for the the use cases with appropriate permissions or the amke the add view public and simply rely on the IPortletPermissionChecker all the time.

comment:10 Changed 2 years ago by hvelarde

we need to fix this bug ASAP and we have resources available for that; please contact me.

comment:11 Changed 2 years ago by hvelarde

comment:12 Changed 2 years ago by jstegle

I've encountered the same problem for one of our project and I solved this using this:

 <browser:view 
    for="plone.app.portlets.interfaces.IUserPortletAssignmentMapping" 
    name="+" 
    class="plone.app.portlets.browser.adding.PortletAdding" 
    allowed_interface="plone.app.portlets.browser.interfaces.IPortletAdding" 
    permission="plone.app.portlets.ManageOwnPortlets"  />

This allows to override the permission just for the IUserPortletAssignmentMapping instead of the whole IPortletAssignmentMapping interface usage and still keeps the ManagePortlets permission for the rest of the site.

Hope this helps

comment:13 Changed 2 years ago by frapell

  • Status changed from confirmed to closed
  • Resolution set to fixed

I've commited the proposed fix and it should be included in next version (2.2.5) for the plone.app.portlets package used by Plone 4.2 and 4.3

 https://github.com/plone/plone.app.portlets/commit/cd074b181e3526e9e06d167abb74b14e1ebc7f99

and then, after a chat with David Glick, i've changed it to do the same as proposed in comment:12

 https://github.com/plone/plone.app.portlets/commit/08dcc9ecb03e8c118d21ae4c129d78ae90f6082e

I've also backported it to be included in the next version (2.1.8) for the plone.app.portlets package used by Plone 4.1 series

 https://github.com/plone/plone.app.portlets/commit/fa9ae3835b4e1fbeb9a2d313986f40c33b5e2413  https://github.com/plone/plone.app.portlets/commit/147f0090dcb8af75ee65c982269406a9d5b0be42

And finally, i wrote some tests to confirm the issue is fixed.

comment:14 Changed 22 months ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.