Rave
  1. Rave
  2. RAVE-298

Page manipulations are unchecked

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 0.4-INCUBATING
    • Fix Version/s: 0.5-INCUBATING
    • Component/s: None
    • Labels:
      None

      Description

      Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.

        Issue Links

          Activity

          Hide
          Jasha Joachimsthal added a comment -

          Thanks for the documentation. Can you find some time to add examples to the documentation (e.g. User needs access to own Page, admin needs acces to other User's Page)?

          Show
          Jasha Joachimsthal added a comment - Thanks for the documentation. Can you find some time to add examples to the documentation (e.g. User needs access to own Page, admin needs acces to other User's Page)?
          Hide
          Anthony Carlucci added a comment -

          Documentation has been published on how to implement model permission security for the rest of our models and services: http://incubator.apache.org/rave/documentation/index.html

          I will be closing this ticket and creating a separate set of issues to finish implementing ModelPermissionEvaluator classes for the rest of our models and annotating our service interfaces.

          Show
          Anthony Carlucci added a comment - Documentation has been published on how to implement model permission security for the rest of our models and services: http://incubator.apache.org/rave/documentation/index.html I will be closing this ticket and creating a separate set of issues to finish implementing ModelPermissionEvaluator classes for the rest of our models and annotating our service interfaces.
          Hide
          Anthony Carlucci added a comment -

          More updates:

          • created common AbstractRestApi class
          • updated the DefaultPagePermissionEvaluator to handle permission checks when the object to be checked differs from the returned Object
          • secured remaining PageService methods that deal with Page objects, except addNewDefaultPage (see RAVE-303)

          Still TODO:
          1) Documentation!

          Show
          Anthony Carlucci added a comment - More updates: created common AbstractRestApi class updated the DefaultPagePermissionEvaluator to handle permission checks when the object to be checked differs from the returned Object secured remaining PageService methods that deal with Page objects, except addNewDefaultPage (see RAVE-303 ) Still TODO: 1) Documentation!
          Hide
          Anthony Carlucci added a comment -

          Code checked in:

          • implemented DefaultPagePermissionEvaluator
          • protected one PageService method: getPage
          • added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi
          • fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent duplicate bean creation

          Still TODO:
          1) finish securing the rest of the PageService methods with permission annotations
          2) refactor the handleAccessDeniedException up into an AbstractRestApi class since it is common functionality that all RestApi controllers will want

          Show
          Anthony Carlucci added a comment - Code checked in: implemented DefaultPagePermissionEvaluator protected one PageService method: getPage added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent duplicate bean creation Still TODO: 1) finish securing the rest of the PageService methods with permission annotations 2) refactor the handleAccessDeniedException up into an AbstractRestApi class since it is common functionality that all RestApi controllers will want

            People

            • Assignee:
              Anthony Carlucci
              Reporter:
              Jasha Joachimsthal
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development