[
https://issues.apache.org/jira/browse/ISIS-883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14131180#comment-14131180
]
Dan Haywood commented on ISIS-883:
----------------------------------
I have now made a fix for this, in 1.7.0-SNAPSHOT. Please note: I don't have
any plans to backport this to a patch to 1.3.0, so (as you are on 1.3.0) you
might want to upgrade to 1.6.0 as an interim to ensure there are no other
issues from that upgrade.
~~~
As I was testing against 1.6.0, not 1.3.0, I'm not completely certain that the
quoted bookmarked URL is still valid; for two reasons:
a) as of 1.4.0 (I think it was) we now have action prompts rather than action
pages
b) as of 1.4.0 there is a MetaModelValidator check to ensure that the only
bookmarkable actions are safe actions.
Because of a), the only action URL that I was able to grab from the UI was one
that invokes the action, not brings up the action page.
All that said, I was able to reproduce a similar issue in 1.6.0, using the
todoapp. First, I re-enabled action pages using:
in WEB-INF/viewer_wicket.properties:
isis.viewer.wicket.disableModalDialogs=true
I also (using todoapp for my testing) added in @ActionSemantics(Of.SAFE) for
the ToDoItems#newToDo(...) action. This then caused the action invocation to
be bookmarked.
Logging in as a different user that didn't have permission to invoke this
action through the UI, I was nevertheless able to invoke the action by invoking
the URL directly, adjusting the params as necessary to create arbitrary new
items, eg:
http://localhost:8080/wicket/action/dom.todo.ToDoItems:1/dom.todo.ToDoItems/newToDo%28java.lang.String,dom.todo.ToDoItem$Category,dom.todo.ToDoItem$Subcategory,org.joda.time.LocalDate,java.math.BigDecimal%29/USER?actionArgs=abc&actionArgs=Professional&actionArgs=$nullArg$&actionArgs=20140925&actionArgs=$nullArg$
So, with the problem more-or-less reproduced (and at any rate, while exposing a
similar issue in 1.6.0), I went about fixing the issue.
Specifically: when the action is invoked, it now double checks that the user
passes both the visibility and usability rules (and throws an
ObjectMember.AuthorizationException if fails) and also performs a validity
check.
Throwing the ObjectMember.AuthorizationException redirects to the ErrorPage.
In order to avoid leaking information, the ErrorPage now suppresses the
stacktrace and renders a very generic message for this particular exception
type.
~~~
In a similar vein, have also now put in a check in EntityPage that ensures that
the user can view the target object if they paste in its URL to the browser, eg:
http://localhost:8080/wicket/entity/TODO:L_0
If they have no permission to any of the entity's properties/collections, then
we again throw an authorization exception.
~~~
Also, if the object simply doesn't exist:
http://localhost:8080/wicket/entity/TODO:L_999
we also throw the same exception (rather than "no such database row" as
previously), again to avoid leaking information to a hacker.
> Isis 1.3: Bookmarkable action URLs can be submitted by a user without
> permissions to bring up action dialog (thereafter that user can invoke).
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-883
> URL: https://issues.apache.org/jira/browse/ISIS-883
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> originally raised in mailing list, see:
> http://markmail.org/thread/lmr3yy5yoz4sfkk2 for Isis 1.3
> When a user with an admin role logs in, they get access to functionality not
> available to standard users.
> However, if a standard user types in the URL to one of the admin pages, they
> get access to it.
> It appears the permissions are only checked when rendering the menus and not
> when executing the action.
> Essentially any authenticated user can bypass authorisation.
> The permissions are correctly checked when accessing the services through the
> Restful interface.
> ~~~
> More detail:
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class
> name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class
> name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method
> description>&pageTitle=<page title>&actionMode=PARAMETERS
> ~~~
> It's not the invocation that's being accessed by the bookmarkable URL, it's
> the form to enter the parameters.
> Clicking the "OK" button on that form invokes the method.
> The actual URL that causes the method invocation is
> POST
> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
> with a standard x-www-form-urlencoded post body.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
