[
https://issues.apache.org/jira/browse/ISIS-885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14131163#comment-14131163
]
ASF subversion and git services commented on ISIS-885:
------------------------------------------------------
Commit 48694d8e6ada55179aa0d5ce547c3bda126b603e in isis's branch
refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=48694d8 ]
ISIS-883, ISIS-885, ISIS-846: prevent user circumventing security by hacking a
URL.
for (bookmarked actions), check business rules on execution, throw new
ObjectMember.AuthorizationException if fails visibility or usability checks
for entities, if paste in URL, check user has permissions to at least one
property or collection, throw AuthorizationException otherwise
for entities, if cannot load object, throw AuthorizationException (avoid
disclosing whether the object exists or not)
for error page, if receive AuthorizationException then suppress the stack trace
to avoid leaking information to possible attacker
in addition:
- for example todoapp, simplified
> To avoid leaking information (eg in the title) should have a "special"
> permission to throw a 404 if user doesn't have permission to view any of the
> class' members.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-885
> URL: https://issues.apache.org/jira/browse/ISIS-885
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Fix For: viewer-wicket-1.7.0
>
>
> Otherwise, an unauthorized user could:
> a) discover (by constructing a URL) that an object exists, and
> b) worse, could view the title of said object, which would leak information
> about the object's state even if the object's properties were not visible.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
