[
https://issues.apache.org/jira/browse/ISIS-883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14131162#comment-14131162
]
ASF subversion and git services commented on ISIS-883:
------------------------------------------------------
Commit 48694d8e6ada55179aa0d5ce547c3bda126b603e in isis's branch
refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=48694d8 ]
ISIS-883, ISIS-885, ISIS-846: prevent user circumventing security by hacking a
URL.
for (bookmarked actions), check business rules on execution, throw new
ObjectMember.AuthorizationException if fails visibility or usability checks
for entities, if paste in URL, check user has permissions to at least one
property or collection, throw AuthorizationException otherwise
for entities, if cannot load object, throw AuthorizationException (avoid
disclosing whether the object exists or not)
for error page, if receive AuthorizationException then suppress the stack trace
to avoid leaking information to possible attacker
in addition:
- for example todoapp, simplified
> Isis 1.3: Bookmarkable action URLs can be submitted by a user without
> permissions to bring up action dialog (thereafter that user can invoke).
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-883
> URL: https://issues.apache.org/jira/browse/ISIS-883
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> originally raised in mailing list, see:
> http://markmail.org/thread/lmr3yy5yoz4sfkk2 for Isis 1.3
> When a user with an admin role logs in, they get access to functionality not
> available to standard users.
> However, if a standard user types in the URL to one of the admin pages, they
> get access to it.
> It appears the permissions are only checked when rendering the menus and not
> when executing the action.
> Essentially any authenticated user can bypass authorisation.
> The permissions are correctly checked when accessing the services through the
> Restful interface.
> ~~~
> More detail:
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
> name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
> description>&pageTitle=<page title>&actionMode=PARAMETERS
> ~~~
> It's not the invocation that's being accessed by the bookmarkable URL, it's
> the form to enter the parameters.
> Clicking the "OK" button on that form invokes the method.
> The actual URL that causes the method invocation is
> POST
> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
> with a standard x-www-form-urlencoded post body.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
