Bug #5257
security problem when access to individual social node
| Status: | Closed | Start date: | 24/01/2011 | |
|---|---|---|---|---|
| Priority: | Urgent | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | Bugs 1.2 |
Description
when you access to a social node using node get_data, get_image, etc, methods, LGS does not control if the viewer has access (privacy) to this information.
The only privacy the system have into account is getting the dictionary (fields) information. This is not enough, because there is only privacy for location fields, and other users could access to the rest of node information. You shouldnt even have the node, if you dont have perms.
When you make a search into a layer, there is no problem, because the system uses SQL queries that have into account the nodes visible for the viewer. Of course, after the search, it also uses the dictionary fields privacy.
History
#1 Updated by over 2 years ago
- Status changed from New to Closed
Solved in the revision 1672.
Get_data, get_image, etch methods check if the nodes are visible for the viewer. Throwing a new exception if viewer does not have enough perms.