Forum OpenACS Development: Re: Liferay integration

3: Re: Liferay integration (response to 1)

Posted by Dave Bauer on 02/23/07 03:46 PM

I see a problem since the whole point of putting files in /lib/ is that they are NOT addressable by a URL without being included in another page.

Otherwise your system seems like the simplest solution but does not address security at all. It seems like there is definitely a problem since not all includes check permissions (do any?). Perhaps it would make sense in your "include" wrapper to list pages that are OK to include this way and disallow any requests that are not in the list.

4: Re: Liferay integration (response to 3)

Posted by Malte Sussdorff on 02/23/07 04:30 PM

Would it, as a first step, be okay to check if the user has read permission on the package? I am pretty sure that all includes are called after a permission check on the package and if they need to limit this further, the include itself uses the user_id (this is the fact in forums, projects and file-storage as far as I looked).

But I see your point for sure and there seems no easy solution for it. I would probably add a parameter in the .info file of the package to declare if it is safe to included all includes in /lib. But this should be a discussion on a larger scope on how to include and exchange content from and to OpenACS in the first place.