Web users can bypass ACLs by editing params of element/node.jsp URLs
Description
Steps to reproduce:
1a. Create group "canhas" with all node categories included; add user "jeffg" to this group 1b. Create group "nocanhas" with only "Production" node category; add user "rjeffg" to this group 2. Add nodes 1 and 3 to node categories "Servers", "Production"; add node 2 to categories "Servers", "Development" 3a. Log out and log in as "rjeffg", view node list, note that only nodes 1 and 3 are in list 3b. Click node 1 in node list 4. Edit URL, changing "element/node.jsp?node=1" to "element/node.jsp?node=2"
Expected behavior: some kind of denial
Actual behavior: a slightly restricted entry point into viewing info for node #2, including all parts of the node detail page and the resource graphs workflow.
Environment
Operating System: All
Platform: PC
Acceptance / Success Criteria
None
Lucidchart Diagrams
Activity
Show:
Donald Desloge November 2, 2010 at 2:38 PM
Fixed and will make it into the 1.8.6 release.
Donald Desloge November 2, 2010 at 2:38 PM
This issue has now been fixed. Now when you manually change the node id in the url, to a node that you are not supposed to see, you will be greeted with a "Node Not Found" page. This feature will make it into the 1.8.6 release.
Steps to reproduce:
1a. Create group "canhas" with all node categories included; add user "jeffg"
to this group
1b. Create group "nocanhas" with only "Production" node category; add user
"rjeffg" to this group
2. Add nodes 1 and 3 to node categories "Servers", "Production"; add node 2 to
categories "Servers", "Development"
3a. Log out and log in as "rjeffg", view node list, note that only nodes 1 and 3 are in list
3b. Click node 1 in node list
4. Edit URL, changing "element/node.jsp?node=1" to "element/node.jsp?node=2"
Expected behavior: some kind of denial
Actual behavior: a slightly restricted entry point into viewing info for node #2, including all parts of the node detail page and the resource graphs workflow.