[MAGNOLIA-5506] Default roles have weak URI security checks Created: 19/Nov/13  Updated: 19/Dec/16

Status: Open
Project: Magnolia
Component/s: samples, security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Magnolia International Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: next
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLADMLEG-48 PageMVCServlet should be using Aggreg... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

The default editor role has a whole bunch of URI denies (/.magnolia/pages/configuration*, etc).

As noted in MAGNOLIA-5505, this opens up a bunch of security issues, such as being able to gain access to a page one shouldn't have access to.


Generated at Mon Feb 12 04:05:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.