Ticket #970 (closed Defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Core: WRITE permission is not enforced for update/delete requests

Reported by: jri Owned by: jri
Priority: Major Milestone: Release 4.8.1
Component: DeepaMehta Standard Distribution Version: 4.8
Keywords: Cc: dgf, Malte, JuergeN, carolina
Complexity: 3 Area: Application Framework / API
Module: deepamehta-core

Description

A logged in user who has no WRITE permission for a certain topic/association is still able to update/delete it via REST API. So, the backend is not properly secured.

Note: the DM Webclient would never send such a request in the first place, but other clients could do so.

Change History

comment:1 Changed 4 years ago by jri

  • Status changed from new to accepted

comment:2 Changed 4 years ago by jri

In https://github.com/jri/deepamehta/commit/fe4e6fcc

Core: rename PreGet?.. event listeners (#970).

BREAKING CHANGES

2 Core event listener classes renamed in package de.deepamehta.core.service.event:

PreGetTopicListener       -> CheckTopicReadAccessListener
PreGetAssociationListener -> CheckAssociationReadAccessListener

See #970.

comment:3 Changed 4 years ago by jri

In https://github.com/jri/deepamehta/commit/8aa218e0

Core: add 2 CheckWriteAccess? listeners (#970).

2 new event listeners in package de.deepamehta.core.service.event:

CheckTopicWriteAccessListener
CheckAssociationWriteAccessListener

The corresponding events are fired before a topic/association update/delete operation is executed.

See #970.

comment:4 Changed 4 years ago by jri

https://github.com/jri/deepamehta/commit/3b8951f4

Access control fix: check write access (#970).

Before updating/deleting a topic/association via REST API the WRITE permission is enforced properly.

See #970.

comment:5 Changed 4 years ago by jri

  • Status changed from accepted to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.