[
https://issues.apache.org/jira/browse/ISIS-885?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Haywood resolved ISIS-885.
------------------------------
Resolution: Fixed
Have instead added a check in EntityPage that the user has permission to at
least one property or collection, else throw an
ObjectMember.AuthorizationException.
> To avoid leaking information (eg in the title) should have a "special"
> permission to throw a 404 if user doesn't have permission to view any of the
> class' members.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-885
> URL: https://issues.apache.org/jira/browse/ISIS-885
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Fix For: viewer-wicket-1.7.0
>
>
> Otherwise, an unauthorized user could:
> a) discover (by constructing a URL) that an object exists, and
> b) worse, could view the title of said object, which would leak information
> about the object's state even if the object's properties were not visible.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
