Ticket #964 (closed Defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Webclient: "Show Configuration" discloses non-readable data

Reported by: jri Owned by: jri
Priority: Major Milestone: Release 4.8.1
Component: DeepaMehta Standard Distribution Version: 4.8
Keywords: Cc: dgf, Malte, JuergeN
Complexity: 3 Area:
Module: deepamehta-config

Description

The "Show Configuration" menu lists configs that belong to Administration also for non-admin users. If selecting such a menu item an error occurs. The respective config topic -- which is supposed to be not readable -- is revealed anyway.

Change History

comment:1 Changed 4 years ago by jri

  • Status changed from new to accepted

comment:2 Changed 4 years ago by Jörg Richter <jri@…>

In 91f9f09ce724c43903226e743b34998284154f48/deepamehta:

Config service: fix permissions (#964).

The GET /config call returns only the registered config definitions the current user has READ permission for, based on the Config Modification Role.

Core AccessControl? API


2 new methods:

boolean hasReadPermission(String username, long workspaceId);

boolean hasWritePermission(String username, long workspaceId);

See #964.

comment:3 Changed 4 years ago by Jörg Richter <jri@…>

In a8cebb4d4dc6a1f84300f6f5d768e24aeb4a5ded/deepamehta:

Refresh "Show Config" command on login/out (#964).

In the Webclient the "Show Configuration" submenu is refreshed once the user logs in/out.

See #964.

comment:4 Changed 4 years ago by jri

The GUI issue is now fixed, but a backend issue remains.

The Config REST API still discloses non-readable config data.

The issue is with the "Enabled Sharing Modes" config, which belongs to Administration at the moment. The Webclient however needs to read that config for non-admin users as well, namely for rendering the New Workspace dialog.

The solution would be to move the "Enabled Sharing Modes" config from Administration to System. This would make it readable for all logged in users. At the moment I see no other solution.

Note: with the "Disk Quota" and "Login Enabled" configs there are no issues as these are processed at server-side. The Weblient needs no access to them.

comment:5 Changed 4 years ago by jri

  • Status changed from accepted to closed
  • Resolution set to fixed

The original GUI issue is fixed.
The Config REST API access control issue still needs to be discussed.

Note: See TracTickets for help on using tickets.