Uploaded image for project: 'Magnolia REST Framework'
  1. Magnolia REST Framework
  2. MGNLREST-338

References to content in workspaces should not be resolved for users with insufficient rights

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not an issue
    • Icon: Neutral Neutral
    • None
    • None
    • None

      As reported by tmiyar in Slack

      [...] We think we might have a security issue here
      https://git.magnolia-cms.com/projects/MODULES/repos/rest/browse/magnolia-rest-content-delivery/src/main/java/info/magnolia/rest/delivery/jcr/v2/JcrDeliveryEndpoint.java#349
      reference should not be retrieved in system context.
      Let’s say I’m user that has read permissions on website workspace but does NOT have read permission on categories workspace.
      If category is referenced in some page, reference will be resolved and category will be returned to me (because of the system context).

        Acceptance criteria

          1. image-2021-12-09-11-28-16-567.png
            162 kB
            Teresa Miyar
          2. image-2021-12-09-11-28-16-600.png
            97 kB
            Teresa Miyar
          3. image-2021-12-09-11-28-16-642.png
            88 kB
            Teresa Miyar
          4. Screenshot 2021-11-25 at 9.03.14.png
            189 kB
            Jaroslav Simak
          5. Screenshot 2021-11-25 at 9.03.40.png
            47 kB
            Jaroslav Simak
          6. Screenshot 2021-11-25 at 9.03.50.png
            28 kB
            Jaroslav Simak
          7. Screenshot 2021-11-25 at 9.05.18.png
            109 kB
            Jaroslav Simak

              Unassigned Unassigned
              fgrilli Federico Grilli
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD