You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "Dan Haywood (JIRA)" <ji...@apache.org> on 2014/09/10 16:39:28 UTC

[jira] [Created] (ISIS-883) Bookmarkable action URLs can be submitted by a user without permissions to invoke.

Dan Haywood created ISIS-883:
--------------------------------

             Summary: Bookmarkable action URLs can be submitted by a user without permissions to invoke.
                 Key: ISIS-883
                 URL: https://issues.apache.org/jira/browse/ISIS-883
             Project: Isis
          Issue Type: Bug
          Components: Viewer: Wicket
    Affects Versions: viewer-wicket-1.6.0
            Reporter: Dan Haywood
            Assignee: Dan Haywood
            Priority: Blocker
             Fix For: viewer-wicket-1.7.0



When a user with an admin role logs in, they get access to functionality not available to standard users.
However, if a standard user types in the URL to one of the admin pages, they get access to it.

It appears the permissions are only checked when rendering the menus and not when executing the action.
Essentially any authenticated user can bypass authorisation.

The permissions are correctly checked when accessing the services through the Restful interface.

~~~

More detail:

I'm talking about bookmarkable URL's in the format
http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method description>&pageTitle=<page title>&actionMode=PARAMETERS





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)