Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
5.5.1
Description
Given authorisation where there is overlap in roles, using a composite destination can gain access in error. eg:
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="USER.>" read="users" write="users" admin="users" />
...
The correct expectation is that a 'user' can only access queues that match 'USER.>' but a user can bypass this and access a private queue using a composite destination q(PRIVATE,USER.A) because the permissions are aggregated in error and we look for a single match.