Contributor Mode can be Entered as Annonymous User (Doc ID 1393645.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle WebCenter Portal - Version: 11.1.1.5.0 and later   [Release: 11g and later ]
Information in this document applies to any platform.

Symptoms


Anonymous users can enter Site Studio contributor mode by hitting CTRL+SHIFT+C.
When they enter the contributor mode then the only icon they see is Refresh, however, this is still a security concern.

It is not clear what the security implications are if you can enter contributor mode, could you edit the content in some other way (even though the pencil doesn't appear)? It would potentially be embarrassing if it was public knowledge that this functionality was available, and for a very security focused company this may be sufficient to block go live.

The expectation is that nothing happens when an anonymous user presses CTRL+SHIFT+C.

Steps to Reproduce
==================
1. Create a new starter WebCenter Portal Framework application

2. Create a new Content Repository connection as the default connection to point to a UCM instance

3. Execute the home.jspx

4. Log in as weblogic

5. Hit CTRL + Shift + E to enter edit mode

6. Add a Content Presenter task flow

7. Configure the Content Presenter task flow to point to an HTML document inside UCM

8. Close edit mode

9. On home.jspx (still logged in) hit CTRL+Shift+C to enter contribution mode which should show up as expected, showing the Edit and Refresh icons

10. Click on Logout to become anonymous

11. Hit CTRL+Shift+C to enter contribution mode which shows up with just the refresh icon

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms