Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-989

RealTimeGet with explicit ids can bypass document level authorization

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.5.1
    • 1.7.0
    • Solr Plugin
    • None

    Description

      RealTimeGet just ignores filter queries currently in Solr (see SOLR-8436) which is how document level security is implemented, so if you can guess the document ids, you can access them.

      Since we probably don't want to wait for a solr version with SOLR-8436 to be released, we should come up with a temporary work around.

      Attachments

        1. SENTRY-989.patch
          68 kB
          Gregory Chanan
        2. SENTRY-989.patch
          68 kB
          Gregory Chanan
        3. SENTRY-989.patch
          65 kB
          Gregory Chanan
        4. SENTRY-989.patch
          29 kB
          Gregory Chanan

        Issue Links

          Activity

            People

              gchanan Gregory Chanan
              gchanan Gregory Chanan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: