Rave
  1. Rave
  2. RAVE-298

Page manipulations are unchecked

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 0.4-INCUBATING
    • Fix Version/s: 0.5-INCUBATING
    • Component/s: None
    • Labels:
      None

      Description

      Currently it's possible to add/move/delete a widget on a page that does not belong to the logged in user by changing request parameters or the id in the url. Checks must be added to page and widget manipulations if the user that does the manipulations are performed by the owner.

        Issue Links

          Activity

          Matt Franklin made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          Jasha Joachimsthal added a comment -

          Thanks for the documentation. Can you find some time to add examples to the documentation (e.g. User needs access to own Page, admin needs acces to other User's Page)?

          Show
          Jasha Joachimsthal added a comment - Thanks for the documentation. Can you find some time to add examples to the documentation (e.g. User needs access to own Page, admin needs acces to other User's Page)?
          Anthony Carlucci made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          Anthony Carlucci added a comment -

          Documentation has been published on how to implement model permission security for the rest of our models and services: http://incubator.apache.org/rave/documentation/index.html

          I will be closing this ticket and creating a separate set of issues to finish implementing ModelPermissionEvaluator classes for the rest of our models and annotating our service interfaces.

          Show
          Anthony Carlucci added a comment - Documentation has been published on how to implement model permission security for the rest of our models and services: http://incubator.apache.org/rave/documentation/index.html I will be closing this ticket and creating a separate set of issues to finish implementing ModelPermissionEvaluator classes for the rest of our models and annotating our service interfaces.
          Hide
          Anthony Carlucci added a comment -

          More updates:

          • created common AbstractRestApi class
          • updated the DefaultPagePermissionEvaluator to handle permission checks when the object to be checked differs from the returned Object
          • secured remaining PageService methods that deal with Page objects, except addNewDefaultPage (see RAVE-303)

          Still TODO:
          1) Documentation!

          Show
          Anthony Carlucci added a comment - More updates: created common AbstractRestApi class updated the DefaultPagePermissionEvaluator to handle permission checks when the object to be checked differs from the returned Object secured remaining PageService methods that deal with Page objects, except addNewDefaultPage (see RAVE-303 ) Still TODO: 1) Documentation!
          Hide
          Anthony Carlucci added a comment -

          Code checked in:

          • implemented DefaultPagePermissionEvaluator
          • protected one PageService method: getPage
          • added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi
          • fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent duplicate bean creation

          Still TODO:
          1) finish securing the rest of the PageService methods with permission annotations
          2) refactor the handleAccessDeniedException up into an AbstractRestApi class since it is common functionality that all RestApi controllers will want

          Show
          Anthony Carlucci added a comment - Code checked in: implemented DefaultPagePermissionEvaluator protected one PageService method: getPage added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent duplicate bean creation Still TODO: 1) finish securing the rest of the PageService methods with permission annotations 2) refactor the handleAccessDeniedException up into an AbstractRestApi class since it is common functionality that all RestApi controllers will want
          Anthony Carlucci made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Anthony Carlucci made changes -
          Assignee Anthony Carlucci [ carlucci ]
          Jasha Joachimsthal made changes -
          Link This issue is part of RAVE-164 [ RAVE-164 ]
          Jasha Joachimsthal made changes -
          Field Original Value New Value
          Fix Version/s 0.5-INCUBATING [ 12317562 ]
          Jasha Joachimsthal created issue -

            People

            • Assignee:
              Anthony Carlucci
              Reporter:
              Jasha Joachimsthal
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development