You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Dan Haywood (JIRA)" <ji...@apache.org> on 2014/09/12 08:45:33 UTC
[jira] [Resolved] (ISIS-885) To avoid leaking information (eg in
the title) should have a "special" permission to throw a 404 if user
doesn't have permission to view any of the class' members.
[ https://issues.apache.org/jira/browse/ISIS-885?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Haywood resolved ISIS-885.
------------------------------
Resolution: Fixed
Have instead added a check in EntityPage that the user has permission to at least one property or collection, else throw an ObjectMember.AuthorizationException.
> To avoid leaking information (eg in the title) should have a "special" permission to throw a 404 if user doesn't have permission to view any of the class' members.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ISIS-885
> URL: https://issues.apache.org/jira/browse/ISIS-885
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Fix For: viewer-wicket-1.7.0
>
>
> Otherwise, an unauthorized user could:
> a) discover (by constructing a URL) that an object exists, and
> b) worse, could view the title of said object, which would leak information about the object's state even if the object's properties were not visible.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)