MMBase

Wizards do not check all security constraints

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: 1.6.1
  • Fix Version/s: 2.0.0
  • Component/s: Editwizards
  • Description:
    Hide
    original bugid: #6086
    Some security issues still remain:
    - the wizards do not check if a relation between two objects is allowed. This should probably be checked in list.jsp when creating a searchlist
    - popupwizards ('startwizard' fields and commands) now check if you can edit an object, but not if you can create it. This is because you cannot read rights directly from the name for a wizard. A xml reader may be used to facilitate info about a wizard (by pre-fetching it and checking the create action in the xml).
    Show
    original bugid: #6086 Some security issues still remain: - the wizards do not check if a relation between two objects is allowed. This should probably be checked in list.jsp when creating a searchlist - popupwizards ('startwizard' fields and commands) now check if you can edit an object, but not if you can create it. This is because you cannot read rights directly from the name for a wizard. A xml reader may be used to facilitate info about a wizard (by pre-fetching it and checking the create action in the xml).

Issue Links

relates to
 
solves
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Henk Hangyi added a comment - 2007-02-25 10:48
I think fixing some the issues with the editwizards should be part of the 1.9 release and to what extent this issue is a Must Have / Nice to Have.

As far as i know a lot of users are using the editwizards so we will be supporting for the coming years.
Show
Henk Hangyi added a comment - 2007-02-25 10:48 I think fixing some the issues with the editwizards should be part of the 1.9 release and to what extent this issue is a Must Have / Nice to Have. As far as i know a lot of users are using the editwizards so we will be supporting for the coming years.

People

Dates

  • Created:
    2003-06-02 16:20
    Updated:
    2009-07-31 16:24
Atlassian JIRA (v4.1#519) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for MMBase Foundation. Try JIRA - bug tracking software for your team.