[SENTRY-989] RealTimeGet with explicit ids can bypass document level authorization - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.5.1
Fix Version/s: 1.7.0
Component/s: Solr Plugin
Labels:
None

Description

RealTimeGet just ignores filter queries currently in Solr (see ~~SOLR-8436~~) which is how document level security is implemented, so if you can guess the document ids, you can access them.

Since we probably don't want to wait for a solr version with ~~SOLR-8436~~ to be released, we should come up with a temporary work around.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-989.patch
30/Dec/15 23:30
29 kB
Gregory Chanan
SENTRY-989.patch
20/Jan/16 22:38
65 kB
Gregory Chanan
SENTRY-989.patch
19/Feb/16 02:19
68 kB
Gregory Chanan
SENTRY-989.patch
20/Feb/16 00:51
68 kB
Gregory Chanan

Issue Links

links to

Review Board

Activity

People

Assignee:: Gregory Chanan

Reporter:: Gregory Chanan

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Dec/15 23:33

Updated:: 22/Feb/16 22:27

Resolved:: 22/Feb/16 22:27