[MGNLREST-338] References to content in workspaces should not be resolved for users with insufficient rights Created: 24/Nov/21 Updated: 07/Feb/22 Resolved: 09/Dec/21 |
|
| Status: | Closed |
| Project: | Magnolia REST Framework |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Unassigned |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||
| Bug DoR: |
[X]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
As reported by tmiyar in Slack
|
| Comments |
| Comment by Teresa Miyar [ 09/Dec/21 ] |
|
Security issue is not related with the main content of delivery endpoint, it’s related to the referenced content of the delivery endpoint. User has read privilege on website workspace, but not on campaign workspace: When we hit the endpoint, campaign is returned although user does not has privilege to read campaigns workspace: From my point of view we need some similar mechanism for the reference resolver as we have on the delivery endpoint:
|
| Comment by Jaroslav Simak [ 09/Dec/21 ] |
|
I was referring to references in my comment. The default implementation of resolver info.magnolia.rest.reference.jcr.JcrReferenceResolverDefinition honors ACLs (tried it one more time and it works as expected). If anonymous doesn't have access to referenced workspace, references are not resolved. In your case, i can see you are using custom implementation to resolve campaigns. That resolver is doing JCR SQL query which might explain why you see reference resolved (could be that ACLs are ignored for queries maybe?). I would look there why the reference is being resolved. |
| Comment by Teresa Miyar [ 09/Dec/21 ] |
|
It was indeed a problem in CampaignReferenceResolver, thank you for your help |