You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "Dan Haywood (JIRA)" <ji...@apache.org> on 2014/09/12 08:45:33 UTC

[jira] [Resolved] (ISIS-883) Isis 1.3: Bookmarkable action URLs can be submitted by a user without permissions to bring up action dialog (thereafter that user can invoke).

     [ https://issues.apache.org/jira/browse/ISIS-883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Haywood resolved ISIS-883.
------------------------------
    Resolution: Fixed

> Isis 1.3: Bookmarkable action URLs can be submitted by a user without permissions to bring up action dialog (thereafter that user can invoke).
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-883
>                 URL: https://issues.apache.org/jira/browse/ISIS-883
>             Project: Isis
>          Issue Type: Bug
>          Components: Viewer: Wicket
>    Affects Versions: viewer-wicket-1.6.0
>            Reporter: Dan Haywood
>            Assignee: Dan Haywood
>            Priority: Blocker
>             Fix For: viewer-wicket-1.7.0
>
>
> originally raised in mailing list, see: http://markmail.org/thread/lmr3yy5yoz4sfkk2  for Isis 1.3
> When a user with an admin role logs in, they get access to functionality not available to standard users.
> However, if a standard user types in the URL to one of the admin pages, they get access to it.
> It appears the permissions are only checked when rendering the menus and not when executing the action.
> Essentially any authenticated user can bypass authorisation.
> The permissions are correctly checked when accessing the services through the Restful interface.
> ~~~
> More detail:
> I'm talking about bookmarkable URL's in the format
> http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method description>&pageTitle=<page title>&actionMode=PARAMETERS
> ~~~
> It's not the invocation that's being accessed by the bookmarkable URL, it's the form to enter the parameters.
> Clicking the "OK" button on that form invokes the method.
> The actual URL that causes the method invocation is
> POST http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
> with a standard x-www-form-urlencoded post body.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)