[jira] [Created] (ISIS-885) To avoid leaking information (eg in the title) should have a "special" permission to throw a 404 if user doesn't have permission to view any of the class' members.

Dan Haywood (JIRA) Wed, 10 Sep 2014 07:52:46 -0700

Dan Haywood created ISIS-885:
--------------------------------

             Summary: To avoid leaking information (eg in the title) should 
have a "special" permission to throw a 404 if user doesn't have permission to 
view any of the class' members.
                 Key: ISIS-885
                 URL: https://issues.apache.org/jira/browse/ISIS-885
             Project: Isis
          Issue Type: Bug
          Components: Viewer: Wicket
    Affects Versions: viewer-wicket-1.6.0
            Reporter: Dan Haywood
            Assignee: Dan Haywood
             Fix For: viewer-wicket-1.7.0



Otherwise, an unauthorized user could:

a) discover (by constructing a URL) that an object exists, and 

b) worse, could view the title of said object, which would leak information 
about the object's state even if the object's properties were not visible.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (ISIS-885) To avoid leaking information (eg in the title) should have a "special" permission to throw a 404 if user doesn't have permission to view any of the class' members.

Reply via email to