[
https://issues.apache.org/jira/browse/ISIS-883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Haywood updated ISIS-883:
-----------------------------
Description:
When a user with an admin role logs in, they get access to functionality not
available to standard users.
However, if a standard user types in the URL to one of the admin pages, they
get access to it.
It appears the permissions are only checked when rendering the menus and not
when executing the action.
Essentially any authenticated user can bypass authorisation.
The permissions are correctly checked when accessing the services through the
Restful interface.
~~~
More detail:
I'm talking about bookmarkable URL's in the format
http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
description>&pageTitle=<page title>&actionMode=PARAMETERS
~~~
It's not the invocation that's being accessed by the bookmarkable URL, it's the
form to enter the parameters.
Clicking the "OK" button on that form invokes the method.
The actual URL that causes the method invocation is
POST
http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
with a standard x-www-form-urlencoded post body.
was:
When a user with an admin role logs in, they get access to functionality not
available to standard users.
However, if a standard user types in the URL to one of the admin pages, they
get access to it.
It appears the permissions are only checked when rendering the menus and not
when executing the action.
Essentially any authenticated user can bypass authorisation.
The permissions are correctly checked when accessing the services through the
Restful interface.
~~~
More detail:
I'm talking about bookmarkable URL's in the format
http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
description>&pageTitle=<page title>&actionMode=PARAMETERS
> Bookmarkable action URLs can be submitted by a user without permissions to
> invoke.
> ----------------------------------------------------------------------------------
>
> Key: ISIS-883
> URL: https://issues.apache.org/jira/browse/ISIS-883
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> When a user with an admin role logs in, they get access to functionality not
> available to standard users.
> However, if a standard user types in the URL to one of the admin pages, they
> get access to it.
> It appears the permissions are only checked when rendering the menus and not
> when executing the action.
> Essentially any authenticated user can bypass authorisation.
> The permissions are correctly checked when accessing the services through the
> Restful interface.
> ~~~
> More detail:
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
> name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
> description>&pageTitle=<page title>&actionMode=PARAMETERS
> ~~~
> It's not the invocation that's being accessed by the bookmarkable URL, it's
> the form to enter the parameters.
> Clicking the "OK" button on that form invokes the method.
> The actual URL that causes the method invocation is
> POST
> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
> with a standard x-www-form-urlencoded post body.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
