Last night I reviewed and updated security checks done in public API.
I sent to some of us the list of checks that are performed for validation.
This should be a regression because I put a security check in the
method getACP()
that checks if user has ReadSecurity permission
As ReadSecurity is not in Read group a user having only Read
permission will not be able to get the ACP of the document.
May be the ACP is fetched through getACP() method when entering the
domain and so security exception is thrown.
I see 2 possible fixes:
1. don't check ReadSecurity when calling getACP()
2. put ReadSecurity in Read group
Bogdan
Julien Anguenot wrote:
Since yesterday's changes, I got a regression on security.
When a user has read perm on a workspace, it can't acces the domain
where the document is because it's missing the "Read security" permission.
J.
------------------------------------------------------------------------
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
