On 29 July 2014 02:28, matias nahuel heredia <mat...@informaticos.com> wrote:
> hi Dan!! > how can i fix this vulnerability in Apache isis? > https://www.youtube.com/watch?v=AghmbcVE710 > thanks for recording this, helps explain the issue. What we're talking about here is per-instance security... the idea that some users shouldn't be able to access some object instances (even though they do in general have access to other instances of a given class type, such as ToDoItem). As of Isis 1.6.0, the best I can suggest is to use the loaded() lifecycle callback (on ToDoItem itself) and have it thrown an exception if the object should not be accessible. Then, the ExceptionRecognizer can be used to translate this exception into a user-friendly error message. If the loaded() lifecycle callback throws the javax.jdo.ObjectNotFoundException then this is already detected by the default implementation of ExceptionRecognizer (namely ExceptionRecognizerCompositeForJdoObjectStore): final String ownedBy = getOwnedBy(); final String currentUser = container.getUser().getName(); if(!ownedBy.equals(currentUser)) { throw new JDOObjectNotFoundException("No such object"); } This code results in a redirect to the error page with a message: "Unable to load object. Has it been deleted by someone else? No such object". The "Unable to load object. Has it been deleted by someone else?" bit comes from the ExceptionRecognizer, the "No such object" comes from the loaded() method. I can think of two improvements. First, it would be to move this cross-cutting concern out of the entity (ToDoItem) and into some single subscriber that could do this sort of verification for all classes. We do have a ticket [1] to do this, I'll bring it forward to tackle in the next release 1.7.0. Second, the stack trace shown by Isis is rather ugly and also leaks the information that there is an object with the given identifier (even if the object itself isn't shown). So perhaps the ExceptionRecognizer needs to become more sophisticated such that the stack trace will be suppressed in some cases. I've raised a ticket for this requirement [2], citing this thread [3] Let me know your thoughts on the above. Thanks Dan [1] https://issues.apache.org/jira/browse/ISIS-803 [2] https://issues.apache.org/jira/browse/ISIS-846
