[MGNLUI-4833] App launcher's group permissions are not checked Created: 28/Nov/18  Updated: 30/Nov/18  Resolved: 30/Nov/18

Status: Closed
Project: Magnolia UI
Component/s: admincentral
Affects Version/s: 6.0
Fix Version/s: 6.0

Type: Bug Priority: Blocker
Reporter: Mikaël Geljić Assignee: Mikaël Geljić
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0d
Time Spent: 0.25d
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLUI-4680 Find Bar search respects content secu... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: 6.0 requisite
Sprint: Saigon 159
Story Points: 1

 Description   
  • apps can be opened via location fragment in URL
  • apps may appear in find bar results


 Comments   
Comment by Antti Hietala [ 29/Nov/18 ]

Permissions to launch an app via Find Bar were already verified in MGNLUI-4680. Is this new issue a regression?

Comment by Mikaël Geljić [ 29/Nov/18 ]

Previous resolution was incomplete; it did not account for app launcher *group* permissions

Comment by Hieu Nguyen Duc [ 30/Nov/18 ]

QAed on "Version number : 6.0 (Snapshot: 2018.11.29 23:56:31)" and found a security breach.

 

+ "eric" and "tina" can access Messages app to send messages via URI. This behaviour is different from M5.

+ "eric" and "tina" can even acess Cache tool and flush all caches!

+ "eric" and "tina" can open Definitions app while they can't search for that app.

+ "tina" can open Personas while she can't search for that app.

 

Comment by Mikaël Geljić [ 30/Nov/18 ]

Thank you for spotting hieu.nguyen; although group permissions were checked for location changes, they were indeed not applied to the initial location request. So the cases above were reproducible only with a page refresh.

Generated at Mon Feb 12 09:20:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.