Bugs item #1469761, was opened at 2006-04-13 14:03 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=684975&aid=1469761&group_id=119783
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Maurice Marrink (mrmean) Assigned to: Nobody/Anonymous (nobody) Summary: security leak in dataview and listview like components Initial Comment: Using wicket 1.2-beta-1 and a dataview, although it probably also fails with listviews and similar components. The problem occurs when the "list" component populates its items with components that will be checked for authorisation by the strategy. Uppon render the page checks all its child components for sufficient authorisation rights, when faiiling to do so they get a setRenderAllowed(false). Next the page renders all its children. Uppon arriving at the dataview and its items, the marked components are gone and new components (with same wicket id though) have taken there place at the items. these new components never got checked for authorisation and are thus rendered. The new components are created by the dataview. Although an itemreuse strategy or setOptimizeItemremoval might provide a workaround. These "list" components should, just like page, verify there children before rendering. Maurice ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=684975&aid=1469761&group_id=119783 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Wicket-develop mailing list Wicket-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-develop
