Fórum

  1. Início
  2. Portal
  3. Social Office 1.5b Private Site Security Issue

Social Office 1.5b Private Site Security Issue

Nick Willey, modificado 13 Anos atrás.

Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
I've been evaluating SO 1.5b for an intranet project and all has gone well for the most part. One issue that just surfaced is the apparent security bug in the way that the search feature returns results from Private sites for which a member is not a member of. The problem was reported as SOS-189. I believe this was corrected in LPS-4789, however, there is no indication that it was resolved in SO 1.5b.

I'm concerned that the most recent community edition of Social Office has such a serious security issue. At this time, I am unsure how to proceed with my evaluation.

Thank you to anyone that can provide some assistance.

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
Nick, we're working on getting an updated CE release out to the community. Meanwhile, you are welcome to get a trial version of the enterprise edition.
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Bryan,

Thank you for the update. What are the limitations of the trial version? Will I be able to move from the trial version to the updated community edition?

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
Nick,

We would give you a trial license key that is time limited to 30 days (or longer).

Upgradeability from EE to CE is not guaranteed, but if you wanted to do it manually you could try.

Are you budget-constrained, policy-constrained, or philosophically constrained in terms of using EE? emoticon
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Bryan,

Thank you for your quick reply. I need to roll this out very soon, so a trial wouldn't work. Especially if I couldn't easily migrate settings, data, etc. to CE.

This is for a small company intranet project and the budget isn't there for even the most basic EE service level (I've received a quote last week). I certainly believe that your product is worth every penny, I just can't justify the price when the user base is so small.

I look forward to more updates regarding the release of SO 2.0.

Thanks,

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
Nick, we're also aiming to release a SaaS version within the next two quarters. Perhaps you can hold out with the beta until then.

For the CSS issue specifically, I'm going to see if a patch can be made available.

For the search issue, I think that would be a little more difficult and you might need to wait for the next CE.

Thanks for investing in the Liferay community.
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Hi Bryan,

At this point the only show-stopper is the search issue since I can't lock down private site data. Private sites are really no different than public sites with regard to permissions on the content. I've played with permissions in an attempt to work around the issue with no luck. I'm curious what others in the community are doing?

Thanks,

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
You might be able to figure it out by referencing this JIRA ticket:

http://issues.liferay.com/browse/SOS-169
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Bryan,

I'm very grateful for the attention you're providing here.

I've looked over SOS-169 and traced is back to the related issues. Unfortunately, the fix seems to have been applied only to 1.5RC which is the EE version. I don't see anywhere in the 5.2.3 branch that this was applied.

I'm considering not using Private sites for the time being, or disabling the site wide search some how.

Thank you again for your prompt attention.

Nick
thumbnail
Hennie de Villiers, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 78 Data de Entrada: 01/04/09 Postagens Recentes
I am also interested to know how can one go about to build a SO install from the last 5.2.3. svn repositories or is not advised?

Most problems normally gets fixed in the stride and added to the repositories and it is likely that many off this issues experienced in 1.5B may relate to fixes for 5.2.3. or at least the specific 5.2.3 build that was used to create 1.5B. It may not solve all, but I am almost certain a couple of quirks must have been addressed by now.

If this is viable, could one of the Liferay team members maybe for the time produce a 1.6Temp version from 5.2.3 in anticipation to 2?

I think may user may shy away from Social Office due to the issues with 1.5B as it greatly inhibits usability and although it is reasonable stable, administrators will run into many small usability issues.

Any thoughts on this?
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Hennie,

I too considered downloading the latest source for 5.2.3, however, it seems that many of these issues were never back-ported to the 5.2.3 branch. Instead they were rolled into the non-public 1.5RC(EE) version. I too would love to see a 1.6 with some of these issues fixed. I realize that the team is working on 2.0, but when the only public version has several significant issues, it may lead to slow or no adoption by the public.

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
Nick,

We are internally determining whether we have the resources to release a 1.6 CE. We will keep you posted.
Nick Willey, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 53 Data de Entrada: 24/08/10 Postagens Recentes
Thanks again Bryan. I don't mean to be a burden. I'm still trying to find ways to work around the issues with the current version.

Thanks again for your prompt attention.

Nick
thumbnail
Bryan Cheung, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Expert Postagens: 373 Data de Entrada: 27/08/04 Postagens Recentes
Yeah, you *should* be able to modify the search to something like "Search Open Sites" instead of "Everything."

The drawback would be that you would exclude results in private sites that user *would* have had access to otherwise; but the upside is you wouldn't expose private content.
thumbnail
Hennie de Villiers, modificado 13 Anos atrás.

RE: Social Office 1.5b Private Site Security Issue

Junior Member Postagens: 78 Data de Entrada: 01/04/09 Postagens Recentes
See http://svn.liferay.com/repos/public/plugins/branches/5.2.x/portlets/ for the portlets for 5.2.3.