OAuth Proxy should allow for viewer access on secured owner pages.
------------------------------------------------------------------
Key: SHINDIG-1216
URL: https://issues.apache.org/jira/browse/SHINDIG-1216
Project: Shindig
Issue Type: Improvement
Components: Java
Affects Versions: 1.1-BETA3
Reporter: Paul Lindner
Assignee: Paul Lindner
The OAuth proxy currently only allows access when owner == viewer due to
security concerns. Specifically a malicious owner could place javascript on
their profile page that could impersonate the viewer if care is not taken.
For sites that have secured owner pages or 'owner-less' pages we want to allow
OAuth proxy use for the viewer on any page.
This will be accomplished by adding a new configuration option and injecting it
into the oauth fetcher config.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
