Clone
Dan Haywood <dan@haywood-associates.co.uk>
committed
on 12 Sep 14
ISIS-883, ISIS-885, ISIS-846: prevent user circumventing security by hacking a URL.
for (bookmarked actions), check business rules on execut… Show more
ISIS-883, ISIS-885, ISIS-846: prevent user circumventing security by hacking a URL.

for (bookmarked actions), check business rules on execution, throw new ObjectMember.AuthorizationException if fails visibility or usability checks

for entities, if paste in URL, check user has permissions to at least one property or collection, throw AuthorizationException otherwise

for entities, if cannot load object, throw AuthorizationException (avoid disclosing whether the object exists or not)

for error page, if receive AuthorizationException then suppress the stack trace to avoid leaking information to possible attacker

in addition:

- for example todoapp, simplified

Show less

master + 41 more