[
https://issues.apache.org/jira/browse/RAVE-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258167#comment-13258167
]
Matt Franklin commented on RAVE-568:
------------------------------------
Gadgets in preview mode can only be added to the page by the user who submitted
them. Other users can't add preview gadgets until they are published for
everyone to see. As an administrator currently has to publish the gadget as a
manual step, there is an explicit action being taken by a human before any
gadget is available for general consumption.
We should make it configurable whether a rave instance allows this feature to
be enabled, but I given the constraints above, what are your concerns?
> Widgets with preview-status can still be added
> ----------------------------------------------
>
> Key: RAVE-568
> URL: https://issues.apache.org/jira/browse/RAVE-568
> Project: Rave
> Issue Type: Bug
> Components: rave-core, rave-web
> Affects Versions: 0.10.1
> Reporter: Dennis van der Laan
>
> In the widget store, when using the category filter or 'my widgets' filter,
> widgets with 'preview' status are shown also. Users are able to add
> preview-widgets this way.
> Because users are also able to upload widgets, which then get preview-status,
> this seems like a security issue.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
