[CAUSEWAY-885] To avoid leaking information (eg in the title) should have a "special" permission to throw a 404 if user doesn't have permission to view any of the class' members. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: viewer-wicket-1.6.0
Fix Version/s: viewer-wicket-1.7.0
Component/s: Viewer Wicket
Labels:
None

Description

Otherwise, an unauthorized user could:

a) discover (by constructing a URL) that an object exists, and

b) worse, could view the title of said object, which would leak information about the object's state even if the object's properties were not visible.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Daniel Keir Haywood

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Sep/14 14:51

Updated:: 21/Oct/14 05:55

Resolved:: 12/Sep/14 06:45