Ticket #133 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

Security hole - search package/group (WUI & REST)

Reported by: dread Owned by: rgrp
Priority: major Milestone:
Component: ckan Keywords:
Cc: Repository:


Using WUI or REST interface you can search packages and groups without authorization being checked.

On the REST interface you can also read all the attributes of the packages using the 'all-fields' option.

Can be fixed using more advanced query to check authz.

Change History

comment:1 Changed 4 years ago by dread

  • Status changed from new to closed
  • Resolution set to fixed

WUI and REST interfaces recently updated. You can't read, list or search for packages or groups not-authorised for.

The only remaining view of a non-authorised group is that the group is named when viewing a package using all_fields option in REST interface. But no details of other packages in the group are given.

Note: See TracTickets for help on using tickets.