Custom Query (2152 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (190 - 192 of 2152)

Ticket Resolution Summary Owner Reporter
#129 invalid Secure db access by channelling query generation through authz module rgrp dread

Reported by dread, 5 years ago.

Description

Controllers and templates should not access db objects directly - they should do all access via authz module giving username. They are handed by a query that has already been filtered by the packages they are authorized to read.

(Additional idea to be discussed: When they request a package object, they are handed an copy of the db object - disconnected from the database - so it the db object can't be changed.)

A couple of tests can be reenabled when this is done: ckan.tests.functional.test_authz.TestUsage?.test_admin_list_deleted ckan.tests.functional.test_authz.TestUsage?.test_search_deleted

#131 fixed Groups REST interface dread dread

Reported by dread, 5 years ago.

Description

Controlling Groups through a REST interface.

#132 fixed Security hole - read package/group list (REST) rgrp dread

Reported by dread, 5 years ago.

Description

Using REST interface you can list packages and groups without authorization being checked.

Can be fixed using more advanced query to check authz.

Note: See TracQuery for help on using queries.