Webclient: "Show Configuration" discloses non-readable data

[jri]

The "Show Configuration" menu lists configs that belong to Administration also for non-admin users. If selecting such a menu item an error occurs. The respective config topic -- which is supposed to be not readable -- is revealed anyway.

[Jörg Richter <jri@…>]

In 91f9f09ce724c43903226e743b34998284154f48/deepamehta:

Config service: fix permissions (#964).

The GET /config call returns only the registered config definitions the current user has READ permission for, based on the Config Modification Role.

Core AccessControl? API

---

2 new methods:

boolean hasReadPermission(String username, long workspaceId);

boolean hasWritePermission(String username, long workspaceId);

See #964.

[Jörg Richter <jri@…>]

In a8cebb4d4dc6a1f84300f6f5d768e24aeb4a5ded/deepamehta:

Refresh "Show Config" command on login/out (#964).

In the Webclient the "Show Configuration" submenu is refreshed once the user logs in/out.

See #964.

[jri]

The GUI issue is now fixed, but a backend issue remains.

The Config REST API still discloses non-readable config data.

The issue is with the "Enabled Sharing Modes" config, which belongs to Administration at the moment. The Webclient however needs to read that config for non-admin users as well, namely for rendering the New Workspace dialog.

The solution would be to move the "Enabled Sharing Modes" config from Administration to System. This would make it readable for all logged in users. At the moment I see no other solution.

Note: with the "Disk Quota" and "Login Enabled" configs there are no issues as these are processed at server-side. The Weblient needs no access to them.

[jri]

The original GUI issue is fixed.
The Config REST API access control issue still needs to be discussed.