Ticket #964 (closed Defect: fixed)
Webclient: "Show Configuration" discloses non-readable data
Reported by: | jri | Owned by: | jri |
---|---|---|---|
Priority: | Major | Milestone: | Release 4.8.1 |
Component: | DeepaMehta Standard Distribution | Version: | 4.8 |
Keywords: | Cc: | dgf, Malte, JuergeN | |
Complexity: | 3 | Area: | |
Module: | deepamehta-config |
Description
The "Show Configuration" menu lists configs that belong to Administration also for non-admin users. If selecting such a menu item an error occurs. The respective config topic -- which is supposed to be not readable -- is revealed anyway.
Change History
comment:4 Changed 7 years ago by jri
The GUI issue is now fixed, but a backend issue remains.
The Config REST API still discloses non-readable config data.
The issue is with the "Enabled Sharing Modes" config, which belongs to Administration at the moment. The Webclient however needs to read that config for non-admin users as well, namely for rendering the New Workspace dialog.
The solution would be to move the "Enabled Sharing Modes" config from Administration to System. This would make it readable for all logged in users. At the moment I see no other solution.
Note: with the "Disk Quota" and "Login Enabled" configs there are no issues as these are processed at server-side. The Weblient needs no access to them.