We've got an Isis application that has failed a security review. The security provider is Shiro. The UI is Wicket.
When a user with an admin role logs in, they get access to functionality not available to standard users. However, if a standard user types in the URL to one of the admin pages, they get access to it. It appears the permissions are only checked when rendering the menus and not when executing the action. Essentially any authenticated user can bypass authorisation. The permissions are correctly checked when accessing the services through the Restful interface. Is this a known issue? I did not see anything in the 1.4, 1.5 or 1.6 release notes that would cover it either. ------------------------------- This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry. -------------------------------
