Andreas Hartmann wrote:
Jörn Nettingsmeier wrote:
hi *!
i played around a bit, trying to add a password change option to the
user profile editor in the admin tab (see attached svn diff).
after rebuilding and restarting, i used it to change the password of a
test user. now when i try to log in as this test user and type the
correct password, i get thrown back to the login screen immediately
without any error.
This usually means that you were successfully authenticated, but don't
have the permission to view the page. There's no message for security
reasons.
how is not printing a proper "permission denied for user XY" message a
security measure?
it's clear to me that an authentication dialog should not give away
whether a user id exists or what its permissions are, but in this case
the user has already been authenticated, so the information "user xy
must not access this page" (which is highly relevant to user xy) is not
leaked to an outside intruder.
so if i could find the place in the code where the login usecase is
invoked due to insufficient permissions, i would like to see an
addErrorMessage("You do not have the necessary permissions to access
this page. You can either log in as another user or use your browser's
"Back" button to get back to where you came from.")
wdyt?
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
