Custom Query (2152 matches)
Results (190 - 192 of 2152)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#129 | invalid | Secure db access by channelling query generation through authz module | rgrp | dread |
Description |
Controllers and templates should not access db objects directly - they should do all access via authz module giving username. They are handed by a query that has already been filtered by the packages they are authorized to read. (Additional idea to be discussed: When they request a package object, they are handed an copy of the db object - disconnected from the database - so it the db object can't be changed.) A couple of tests can be reenabled when this is done: ckan.tests.functional.test_authz.TestUsage?.test_admin_list_deleted ckan.tests.functional.test_authz.TestUsage?.test_search_deleted |
|||
#131 | fixed | Groups REST interface | dread | dread |
Description |
Controlling Groups through a REST interface. |
|||
#132 | fixed | Security hole - read package/group list (REST) | rgrp | dread |
Description |
Using REST interface you can list packages and groups without authorization being checked. Can be fixed using more advanced query to check authz. |