[MAGNOLIA-2317] Reading user nodes without having correct privileges assigned Created: 12/Aug/08 Updated: 23/Jan/13 Resolved: 15/Aug/08 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | 3.6.1 |
| Fix Version/s: | 3.6.2, 3.6.3 |
| Type: | Bug | Priority: | Major |
| Reporter: | Jan Haderka | Assignee: | Jan Haderka |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||||||||||
| Description |
|
Currently users have assigned privileges to access their own node via ACLs assigned directly to their account. However those privileges are not assigned and used at runtime so in theory user should not be able to log in. |
| Comments |
| Comment by Jan Haderka [ 13/Aug/08 ] |
|
The reason why those privileges are not checked on login is that it is a system which is logging in the user and system has access to user data. |
| Comment by Magnolia International [ 13/Aug/08 ] |
|
Well, I have no strong opinion, but
|
| Comment by Jan Haderka [ 13/Aug/08 ] |
|
|
| Comment by Jan Haderka [ 15/Aug/08 ] |
|
I've decided not to change the fact we do not check for user having rights to read their own account node on login. First we can enforce this only on JCRAuthenticationModule, and second, there is already flag marking account as enabled/disabled. So missing privileges to read/modify own node just means such user is not able to display/change their own preferences which might be desired behaviour in some cases - (semi)public accounts. |