Ticket #970 (closed Defect: fixed)
Core: WRITE permission is not enforced for update/delete requests
Reported by: | jri | Owned by: | jri |
---|---|---|---|
Priority: | Major | Milestone: | Release 4.8.1 |
Component: | DeepaMehta Standard Distribution | Version: | 4.8 |
Keywords: | Cc: | dgf, Malte, JuergeN, carolina | |
Complexity: | 3 | Area: | Application Framework / API |
Module: | deepamehta-core |
Description
A logged in user who has no WRITE permission for a certain topic/association is still able to update/delete it via REST API. So, the backend is not properly secured.
Note: the DM Webclient would never send such a request in the first place, but other clients could do so.
Change History
comment:2 Changed 8 years ago by jri
In https://github.com/jri/deepamehta/commit/fe4e6fcc
Core: rename PreGet?.. event listeners (#970).
BREAKING CHANGES
2 Core event listener classes renamed in package de.deepamehta.core.service.event:
PreGetTopicListener -> CheckTopicReadAccessListener PreGetAssociationListener -> CheckAssociationReadAccessListener
See #970.
comment:3 Changed 8 years ago by jri
In https://github.com/jri/deepamehta/commit/8aa218e0
Core: add 2 CheckWriteAccess? listeners (#970).
2 new event listeners in package de.deepamehta.core.service.event:
CheckTopicWriteAccessListener CheckAssociationWriteAccessListener
The corresponding events are fired before a topic/association update/delete operation is executed.
See #970.
comment:4 Changed 8 years ago by jri
https://github.com/jri/deepamehta/commit/3b8951f4
Access control fix: check write access (#970).
Before updating/deleting a topic/association via REST API the WRITE permission is enforced properly.
See #970.