Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8167

RuleBasedAuthorization plugin bypass with POST requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.1
    • Fix Version/s: 5.3.2, 5.4, 6.0
    • Component/s: security
    • Labels:

      Description

      We are using the RuleBasedAuthorization plugin. We are using the
      collection-admin-edit permission to secure the collections API.

      What I have found is that if I try to, say, create or delete a
      collection using a GET request I am prompted to authenticate as
      expected.

      If I try the same operation using a POST request, it lets me straight
      through and I can delete collections without authenticating.

      I emailed Noble Paul directly about this initially and he has confirmed this as a bug.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                anshumg Anshum Gupta
                Reporter:
                pwigg Philip Wigg
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: