Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-885

To avoid leaking information (eg in the title) should have a "special" permission to throw a 404 if user doesn't have permission to view any of the class' members.

    Details

      Description

      Otherwise, an unauthorized user could:

      a) discover (by constructing a URL) that an object exists, and

      b) worse, could view the title of said object, which would leak information about the object's state even if the object's properties were not visible.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              danhaywood Dan Haywood
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: