[#APF-88] A 'tomcat' user can view all the registered users' info. - AppFuse JIRA

AppFuse

Created: 29/Jun/05 07:52 PM Updated: 02/Aug/05 01:19 AM Resolved: 02/Aug/05 01:19 AM

Component/s:

Security

Affects Version/s:

1.8.1

Fix Version/s:

1.8.2

Description

« Hide

please try this as a 'tomcat' role user.
http://demo.appfuse.org/appfuse/editProfile.html?method=search

All the registered users will be listed.

Sort Order:

1068 by Matt Raible (3 files)

02/Aug/05 01:13 AM (59 months, 28 days ago)

Fix http://issues.appfuse.org/browse/APF-88 and http://issues.appfuse.org/browse/APF-96: security holes where 'tomcat' role could see things that only an 'admin' role should see.

appfuse: trunk/test/service/org/appfuse/service/UserSecurityAdviceTest.java 1068

(+56 -6) diffs

appfuse: trunk/src/service/org/appfuse/service/applicationContext-service.xml 1068

(+4 -7) diffs

appfuse: trunk/src/service/org/appfuse/service/UserSecurityAdvice.java 1068

(+46 -18) diffs

[ Permalink | « Hide ]

Matt Raible added a comment - 02/Aug/05 01:19 AM

Fixed in CVS by overriding "userManager" bean definition in applicationContext-security.xml. This definition contains a MethodInvocationInterceptor that only allows certain methods to be invoked by certain users.

https://appfuse.dev.java.net/source/browse/appfuse/web/WEB-INF/applicationContext-security.xml?r1=1.5&r2=1.6

Matt Raible made changes - 02/Aug/05 01:19 AM