Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix solr security problem with individual users #20

Open
reekitconcept opened this issue Dec 14, 2023 · 0 comments
Open

fix solr security problem with individual users #20

reekitconcept opened this issue Dec 14, 2023 · 0 comments
Assignees
@reekitconcept
Labels
bug Something isn't working

Comments

@reekitconcept
Copy link
Member

Steps to Reproduce

(Describe the steps that are necessary to reproduce the problem)

  • as admin
  • click on search button
  • search for an event with a word from its title
  • -> actual behavior: the event is not returned
  • -> behavior you would expect: the event is returned

Reason

Collective.solr replaces ":" with "$" in roles, but we did not compensate for this in the backend service. As a consequence, when any role is needed involving a username, or roles containing ":" (for example user:user1 or user$AuthenticatedUsers), the concent is not returned for the current user.

It's unlikely that this gives a security attack vector, but it's confirmed that for some users some content is not returned that should be returned.
@reekitconcept reekitconcept added the bug Something isn't working label Dec 14, 2023
@reekitconcept reekitconcept self-assigned this Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reekitconcept reekitconcept

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reekitconcept