Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-883

Isis 1.3: Bookmarkable action URLs can be submitted by a user without permissions to bring up action dialog (thereafter that user can invoke).

    Details

      Description

      originally raised in mailing list, see: http://markmail.org/thread/lmr3yy5yoz4sfkk2 for Isis 1.3

      When a user with an admin role logs in, they get access to functionality not available to standard users.
      However, if a standard user types in the URL to one of the admin pages, they get access to it.

      It appears the permissions are only checked when rendering the menus and not when executing the action.
      Essentially any authenticated user can bypass authorisation.

      The permissions are correctly checked when accessing the services through the Restful interface.

      ~~~

      More detail:

      I'm talking about bookmarkable URL's in the format
      http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method description>&pageTitle=<page title>&actionMode=PARAMETERS

      ~~~

      It's not the invocation that's being accessed by the bookmarkable URL, it's the form to enter the parameters.
      Clicking the "OK" button on that form invokes the method.

      The actual URL that causes the method invocation is
      POST http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm
      with a standard x-www-form-urlencoded post body.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              danhaywood Dan Haywood
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: