Moved from java.net: https://appfuse.dev.java.net/issues/show_bug.cgi?id=126
A user with the role 'tomcat' can easily gain access to add and delete users
from the application. In the default configuration, the user can type in the
url for the 'userForm' page and be able to add a user with admin rights. Once
added, they are taken to the 'users.html' page where they see all users and can
delete any other user listed.
The second way of doing this same behavior is a bug in the behavior of the
save, delete, cancel buttons on the 'userForms.html' page. When a user logs in
and clicks on 'Edit Profile' link, they are brought to the 'userForm'. If the
user clicks cancel, the user is brought back to the main menu, but in the
address bar, instead of saying mainMenu.html, it says userForm.html. The user
can just highlight the url, hit enter, and be brought to the 'userForm.html'
page where they can add a user as described above. When you save or delete a
user, you are brought back to 'users.html', but the url in the address bar
------- Additional comments from melinate Fri Apr 15 17:24:11 +0000 2005 -------
A partial solution to this problem is to limit users access to methods on the
managers. Rather than relying on buttoning up all holes in the UI. It might be
possible to make the default AppFuse bulletproof in this reguard, but once users
start adding POJO's and CRUD classes of their own there will be a whole new set
of cracks that someone could get through.
I suppose this issue would be resolved once either the specific case mentioned
is fixed, or the security by methods is added to the AppFuse core.
------- Additional comments from melinate Sun Apr 17 21:29:14 +0000 2005 -------
- Issue 132 has been marked as a duplicate of this issue. ***
------- Additional comments from mraible Mon Apr 18 05:37:26 +0000 2005 -------
We should try to fix this. I'm cool with limiting method invocations based on
role, but I think we should probably use Acegi's method of logging in a test
user as part of our test's setUp() - instead of using Ant to comment out the
interceptor. A better way might be too set the list of interceptors to null on
the "userManager" bean. I tried this a while back and it didn't work, but it
might w/ the latest Spring version.
------- Additional comments from mraible Fri Apr 29 05:53:52 +0000 2005 -------
Changing milestone to 1.9 - hopefully we can fix it soon after the 1.8 release.
It's possible we'll do a 1.8.1 release as well.
|Field||Original Value||New Value|
|Affects Version/s||1.8.1 [ 10002 ]|
|Affects Version/s||1.8 [ 10000 ]|
|Component/s||Web - Struts [ 10014 ]|
|Fix Version/s||1.8.1 [ 10002 ]|
|Fix Version/s||1.9 [ 10001 ]|
|Status||Open [ 1 ]||Resolved [ 5 ]|
|Resolution||Fixed [ 1 ]|