[NXP-26843] Fix security not restricted enough when logging anew with a restricted user - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 9.10
Fix Version/s: 10.10-HF29, 11.2, 2021.0
Component/s: Authentication, Web UI

Release Notes Summary:
The BasicAuth challenge is not displayed when a request comes with the Cookie header.
Tags:
- CS
- nxsupport
Backlog priority:
800
Browser:
- All_Browsers
Sprint:
nxsupport 11.1.7

Description

In WebUI, if session times out, you are prompted to log again using basic authentication pop-up.
When logging as another user than the previous one, the display enables the new user to see many features enabled to the previous user, e.g. Administrator.

Requesting to display only features enabled to the new user after relogging.

Attachments

Issue Links

is duplicated by

NXP-24792 Don't challenge clients with basic auth on api calls with invalid credentials

Resolved

is related to

NXP-19322 Do not disable prompt handling by default on automation authentication chain

Resolved

NXP-25021 Handle expired session in WebUI

Resolved

NXP-26208 Handle expired session in WebUI properly

Resolved

Is referenced in

(3 Is referenced in)

Activity

People

Assignee:

Thierry Martins

Reporter:

Patrick Abgrall

Participants:

Jenkins, Nelson Silva, Patrick Abgrall, Support Tech User, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

2019-02-21 12:08

Updated:

2021-01-19 16:57

Resolved:

2020-06-25 07:57

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 40m