Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24789

Fix WebUI anonymous user can access too much information

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 9.10, 10.1
    • Fix Version/s: 9.10-HF10, 10.2
    • Component/s: Web UI
    • Release Notes Summary:
      The access to the user administration is disabled for anonymous users.
    • Tags:
    • Backlog priority:
      700
    • Browser:
    • Sprint:
      nxGang Sprint 10.2.7
    • Story Points:
      3

      Description

      1) Configure an anonymous user and let it access 1 WebUI page

      2) As it has access to Quick Search button, he can search for users (e.g. entering "Admin")
      3) It clicks on "Administrator" , and in the user page, hit the "back" WebUI button (not the browser back button but the blue left arrow)
      4) It then gets to users admin page and can enter * in the search field and hit Enter
      5) It then accesses the whole Nuxeo user/group directory
      6) It clicks on any user and can see the mail address of the user.

      In JSF, as a matter of comparison, the guest user cannot access the user admin page at all.

      Resolution
      /admin/user-group-management should not be accessible by non-power-users / non-admins unless it is set with a username (ie. /admin/user-group-management/user/ausername) for profile view only.

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. ELEMENTS-1020 WebUI: User-Group screen: no left arrow should remain (at least for for non-admin users) since NXP-24789

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. ELEMENTS-679 Fix users being able to delete their own profile

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-25145 Move administration to UI contribution

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. ELEMENTS-680 Remove "back" button visible in some user and group management pages

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 15 minutes
                  1h 15m