Uploaded image for project: 'Magnolia REST Framework'
  1. Magnolia REST Framework
  2. MGNLREST-338

References to content in workspaces should not be resolved for users with insufficient rights

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not an issue
    • Neutral
    • None
    • None
    • None

    Description

      As reported by tmiyar in Slack

      [...] We think we might have a security issue here
      https://git.magnolia-cms.com/projects/MODULES/repos/rest/browse/magnolia-rest-content-delivery/src/main/java/info/magnolia/rest/delivery/jcr/v2/JcrDeliveryEndpoint.java#349
      reference should not be retrieved in system context.
      Let’s say I’m user that has read permissions on website workspace but does NOT have read permission on categories workspace.
      If category is referenced in some page, reference will be resolved and category will be returned to me (because of the system context).

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                fgrilli Federico Grilli
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD