[
https://issues.apache.org/jira/browse/ISIS-885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14131195#comment-14131195
]
ASF subversion and git services commented on ISIS-885:
------------------------------------------------------
Commit c1af7b4a302d0515fc9787a28d04c366cb7763ac in isis's branch
refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=c1af7b4 ]
ISIS-883, ISIS-885, ISIS-846: reverting changes to todoapp made while
implementing/testing this feature.
> To avoid leaking information (eg in the title) should have a "special"
> permission to throw a 404 if user doesn't have permission to view any of the
> class' members.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-885
> URL: https://issues.apache.org/jira/browse/ISIS-885
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Fix For: viewer-wicket-1.7.0
>
>
> Otherwise, an unauthorized user could:
> a) discover (by constructing a URL) that an object exists, and
> b) worse, could view the title of said object, which would leak information
> about the object's state even if the object's properties were not visible.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
