[
https://issues.apache.org/jira/browse/CONNECTORS-779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771846#comment-13771846
]
Karl Wright edited comment on CONNECTORS-779 at 9/19/13 12:51 PM:
------------------------------------------------------------------
Hi Maciej,
Yes I agree that if you add groups that every user belongs to implicitly (e.g.
"Everyone") you could use the feature maliciously in configuration in order to
allow all people to see documents they shouldn't. It will have to be up to
those who deploy ManifoldCF to lock down the application so that unauthorized
people cannot do this - either through the UI, or through the REST API, or
through direct command-line execution, or through direct database access.
Unfortunately, I can think of no way to limit the ability to cause damage here,
other than to document the risks fully. I'll keep thinking about it, though.
Is there any indication in the LDAP database of the special character of such
groups? Because that might be one way to limit the selection.
was (Author: [email protected]):
Hi Maciej,
Yes I agree that if you add groups that every user belongs to implicitly (e.g.
"Everyone") you could use the feature maliciously in configuration in order to
allow all people to see documents they shouldn't. It will have to be up to
those who deploy ManifoldCF to lock down the application so that unauthorized
people cannot do this - either through the UI, or through the REST API, or
through direct command-line execution, or through direct database access.
Unfortunately, I can think of no way to limit the ability to cause damage here,
other than to document the risks fully. I'll keep thinking about it, though.
> Novell eDirectory: Group Everyone
> ----------------------------------
>
> Key: CONNECTORS-779
> URL: https://issues.apache.org/jira/browse/CONNECTORS-779
> Project: ManifoldCF
> Issue Type: Bug
> Components: LDAP authority
> Affects Versions: ManifoldCF 1.3
> Reporter: Nicolas Belisle
> Assignee: Maciej Lizewski
> Priority: Minor
> Fix For: ManifoldCF 1.4
>
>
> We had an issue with authorization using Novell eDirectory.
> The group "Everyone" was in the index (field allow_token_document), but would
> not be listed using "mcf-authority-service/UserACLs?username=userID". No
> configuration change seemed to solve it.
> We added it manually to
> org.apache.manifoldcf.authorities.authorities.ldap.LDAPAuthority
> line 316 : theGroups.add("Everyone");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
