Ticket #311 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

Model/View implicit circuit permissions should be internal

Reported by: scorfield Owned by: scorfield
Type: defect Priority: Normal
Milestone: Fusebox 5.5.1 Component: Miscellaneous
Version: 5.5 Severity: normal
Keywords: Cc:

Description

Permissions are not checked on implicit circuits - you should not be able to call model fuseactions or view fuseactions directly from the URL.

Attachments

Change History

Changed 8 months ago by scorfield

  • status changed from new to accepted
  • type changed from enhancement to defect

It may be that some people are relying on this working, i.e., not being checked, so we may need a mode to not check permissions (FUSEBOX_PARAMETERS.allCircuitsPublic = true - default false).

Changed 8 months ago by scorfield

  • status changed from accepted to closed
  • resolution set to fixed

(In [685]) Fixes #311 by performing access checking for public implicit fuseactions and dynamic private fuseactions.

Note: See TracTickets for help on using tickets.