Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change exchange ACL so non-admin user can't read nodes owned by others #350

Closed
3 tasks
bmpotter opened this issue Apr 29, 2020 · 2 comments
Closed
3 tasks

Change exchange ACL so non-admin user can't read nodes owned by others #350

bmpotter opened this issue Apr 29, 2020 · 2 comments
Assignees
@naphelps
Milestone
Sprint 35: 5/8

Comments

@bmpotter
Copy link
Member

A customer has raised that this is a security concern, and i tend to agree. I think the code fix for this is trivial:

  • In src/main/resources/config.json in the api.acls.User array, remove READ_ALL_NODES
  • There may also be existing tests that need updating
  • And add a couple tests to ensure a non-admin user can't read another's node, but an admin user can

I don't think this change will have any impact on existing users or usage scenarios, but i'm not sure, and i'm concerned that the ACLs have been this way for so long that it is hard to know if anyone has been depending on it. So better to make this change soon so we have more time for ad hoc testing.
@sf2ne sf2ne assigned naphelps and unassigned sf2ne Apr 29, 2020
@sf2ne sf2ne added this to the Sprint 35: 5/8 milestone Apr 29, 2020
@sf2ne sf2ne added the blocked label May 5, 2020
@sf2ne
Copy link
Collaborator

sf2ne commented May 5, 2020
edited
Loading

Pending a response from the UI team on if this is containable for this release

@sf2ne sf2ne removed the blocked label May 5, 2020
@naphelps naphelps mentioned this issue May 6, 2020
Merged
@sf2ne
Copy link
Collaborator

sf2ne commented Jun 4, 2020

Verified on staging

@sf2ne sf2ne closed this as completed Jun 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naphelps naphelps

Labels
None yet
Projects
None yet
Milestone
Sprint 35: 5/8
Development

No branches or pull requests
3 participants
@bmpotter @sf2ne @naphelps