Ticket #133 (closed defect: fixed)
Security hole - search package/group (WUI & REST)
| Reported by: | dread | Owned by: | rgrp |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | ckan | Keywords: | |
| Cc: | Repository: | ||
| Theme: |
Description
Using WUI or REST interface you can search packages and groups without authorization being checked.
On the REST interface you can also read all the attributes of the packages using the 'all-fields' option.
Can be fixed using more advanced query to check authz.
Change History
Note: See
TracTickets for help on using
tickets.
WUI and REST interfaces recently updated. You can't read, list or search for packages or groups not-authorised for.
The only remaining view of a non-authorised group is that the group is named when viewing a package using all_fields option in REST interface. But no details of other packages in the group are given.