-
-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized user can change access policy on update #1450
Comments
I checked the code and found we only check if the submitter has the
|
I would propose a following check (see pseudo-code):
|
Do we swallow the error with |
If we can, I think it would be great to accept the UPDATE, but with the original access policy. If we can't do that, then we should throw an exception and reject the UPDATE. |
…doesn't allow them to change the access rules. See the ticket #1450
Now in the update method, Metacat will check if the user has the CHANGE_PERMISSION. If it does, Metacat just process it. If it does not, Metacat will check WRITE_PERMISSION and the modification of the access rules. |
I came across this issue today while testing the access policy editor in MetacatUI.
Issue description:
I created a portal object and added a user (
uid=kepler,o=unaffiliated,dc=ecoinformatics,dc=org
) to the access policy with onlyread
andwrite
access. I logged in as this user and despite not havingchangePermission
permission, I was able to update the portal object with a different access policy in the system metadata.I noticed this only happens when I update the object. If I only update the system metadata, metacat responds with a
401
, which is expected:Expected behavior: Metacat should accept my update to the object, but should not save the changes I made to the system metadata, since I only have
read
andwrite
access.To reproduce:
read
andwrite
access to a user.isAuthorized
API withchangePermission
, and note that you get the expected401
response.401
response.200
response and see that the update to the object and system metadata was successful. This is the bug.The text was updated successfully, but these errors were encountered: